Cybersecurity researchers have recently unveiled alarming insights about a financially motivated data theft extortion campaign targeting multiple organizations in the professional, legal, and financial services sectors across the United States. This alarming trend, which unfolded between January and May 2026, has been attributed to a nefarious threat actor known as UNC3753, also referred to as Chatty Spider, Luna Moth, and the Silent Ransom Group (SRG).
The detailed investigation by Google’s cybersecurity teams, including Google Mandiant and the Google Threat Intelligence Group (GTIG), outlines the sophisticated methods employed by UNC3753. The group is leveraging advanced social engineering tactics, particularly voice phishing, or "vishing," to gain unauthorized access to corporate systems. Researchers Chad Reams, Tufail Ahmed, Keith Knapp, Ashley Frazer, and Tyler McLellan have reported that the threat actors initiate contact with their victims by posing as IT support personnel. They often employ deceptive pretexts, such as claiming to assist with data migration or addressing invoice-related issues, thereby urging targeted individuals to engage in screen-sharing sessions and download remote monitoring and management (RMM) tools.
Once access is granted, UNC3753 swiftly conducts searches to identify valuable files to exfiltrate. This stolen data includes sensitive proprietary legal agreements, personally identifiable information (PII), and crucial financial records. In certain incidents, the attackers have escalated their efforts by physically infiltrating organizations. Echoing a recent advisory from the U.S. Federal Bureau of Investigation (FBI), it has been reported that the threat actors have impersonated IT technicians, allowing them to enter corporate offices and steal data using USB drives. The FBI highlighted the gravity of this escalation, stating that these physical incursions enable SRG actors to exfiltrate data directly to external drives connected to the victims’ computers.
Google has identified tactical similarities between UNC3753 and another threat cluster known as UNC2686, which has previously executed BazarCall-style campaigns targeting organizations in 2021. While the group has deployed LockBit Black ransomware in the past, recent activities reveal a shift towards extortion-only operations, wherein victims face pressure to pay ransoms or risk having their data published on an illicit site known as LEAKEDDATA.
Both UNC3753 and UNC2686 are believed to be offshoots of the now-dismantled Conti ransomware gang. Early iterations of their campaigns involved using subscription cancellation lures as part of callback phishing attacks aimed at installing remote access software onto victims’ machines. As of March 2025, the threat actors have adapted by masquerading as internal corporate IT help desk representatives, launching screen-sharing sessions on recognizable enterprise communication platforms like Zoom and Microsoft Teams to address fabricated security issues.
Furthermore, the attacks often commence with benign, invoice-themed emails sent from accounts controlled by the threat actors. These emails contain generic, innocuous content without active links or malicious attachments. Their primary function is to establish a context that raises the target’s internal security concerns, making them more susceptible to subsequent phone calls.
Once a screen-sharing session is established, attackers guide victims to install legitimate remote desktop software, such as AnyDesk or Zoho Assist. Instructions are often delivered via a legitimate service called "privnote.com," which allows for the safe sharing of ephemeral notes.
In deeper engagements, UNC3753 has been observed conducting Zoom sessions directly on targets’ personal laptops, allowing them to access corporate virtual desktop infrastructure (VDI). Their objective is to delve into corporate file systems, exploring local and cloud directories, and harvesting sensitive information from high-risk folders, including tax filings, corporate client agreements, and Social Security Numbers (SSNs).
The final stages of the operation see the exfiltration of captured data, which is sent to the threat actors through tools like WinSCP or Rclone. Victims typically receive an extortion email shortly after this incident, demanding a ransom within a three-day window. The message warns victims of potential direct contact with employees and clients to disclose the data breach if they fail to respond, alongside threats of publishing stolen data on the data leak site.
Numerous investigations by Google’s threat intelligence teams reveal that the entire operation—from initial contact to data extortion—can transpire within a single business day. The swift operational pace of these attackers is underscored by their ability to initiate data searches and theft in under an hour.
Legal services firms have emerged as particularly lucrative targets for these cybercriminals. These organizations typically house vast repositories of sensitive client-related documents, which can include transaction files, merger plans, trade secrets, and corporate regulatory reports. Threat actors are acutely aware that legal entities often prioritize protecting their reputations and regulatory standing, motivating them to resolve extortion cases discreetly.
Ongoing research into these threats aligns with reports from cybersecurity firm Resecurity, which highlights the use of a DNS Fast Flux network across various regions. This intricate infrastructure, utilized by UNC3753, enables the threat actor to obfuscate their domains, making them difficult to block. Two specific domains associated with this network have reportedly listed nearly 100 victim organizations as of June 2026.
In summary, the evolving tactics of UNC3753 reflect a pressing concern in cybersecurity circles. The combination of voice-guided social engineering and physical intrusions has exposed vulnerabilities that extending beyond technical security measures. As these threats continue to adapt, organizations must bolster their defenses to mitigate risks associated with data breaches and extortion campaigns.