A financially motivated threat group tracked as UNC3753 — also known as Luna Moth, Chatty Spider, and Silent Ransom Group — has been running a sustained, high-tempo extortion campaign against US law firms throughout early 2026. According to a report from Google Cloud’s Mandiant unit, the campaign ran from January through May 2026 and hit dozens of organizations across legal, professional, and financial services sectors, with attackers completing data theft in some cases within a single business day.
Why Law Firms Are the Target
Law firms hold a uniquely attractive combination of sensitive assets: merger and acquisition plans, client files, trade secrets, regulatory submissions, and attorney-client privileged communications. Attackers understand that firms facing reputational pressure — and the professional obligation of confidentiality — may opt to pay extortion demands quietly rather than risk public exposure or client notification obligations. That calculation drives UNC3753’s entire extortion model.
The Attack Methodology: Phone Call to Data Theft in Hours
UNC3753 does not rely on malware delivery or technical exploits. Instead, the group targets employees directly through a multi-step social engineering sequence:
- Stage 1 — Priming email: Attackers send invoice-themed emails from consumer email accounts to targeted employees. These messages contain no links or attachments; their only purpose is to plant concern — making the recipient more receptive to an urgent follow-up call.
- Stage 2 — Vishing call: Attackers impersonate IT helpdesk staff, referencing the invoice email as a pretext to build credibility. The call directs victims into a screen-sharing session, ostensibly to address a “security issue” or assist with a “data migration.”
- Stage 3 — RMM installation: Once screen sharing is active, the attacker guides the victim to download a remote access tool. UNC3753 has used AnyDesk, Bomgar, Zoho Assist, and a SuperOps RMM agent across different engagements. Installation links are delivered via Privnote — a self-destructing message tool that erases the link after it is read, leaving minimal forensic trace.
- Stage 4 — Data search and exfiltration: With full remote access, attackers search document management systems such as iManage for high-value files including tax records, Social Security numbers, and legal agreements. Files are staged in the Downloads folder before exfiltration via portable WinSCP, Rclone, or direct login to cloud storage in the victim’s browser.
In one documented incident, the group moved 1.7 GB to a Google Drive account before pivoting to a virtual desktop session and exfiltrating an additional 14.4 GB via WinSCP — all within hours of the initial phone call.
Physical Intrusion: A Rare Escalation
In a striking evolution of tactics corroborated by an FBI Cyber FLASH Alert, individuals affiliated with UNC3753 have physically entered corporate offices posing as IT technicians. These operatives claim to image devices and copy data to USB drives before departing. This physical intrusion capability substantially expands the threat model for law firms beyond traditional cyber defenses.
Extortion and the LEAKEDDATA Site
The extortion phase begins within 30 minutes of the group exiting a victim’s environment. UNC3753 sends a threatening email demanding a response within three days. If ignored, the group threatens to contact employees, clients, and the media — and to publish stolen files on its data leak site, LEAKEDDATA. This rapid extortion tempo leaves organizations little time to assess, remediate, and respond before sensitive data is weaponized.
Defensive Recommendations
Organizations — particularly law firms and professional services firms — should take the following steps to defend against UNC3753:
- Vishing awareness training: All staff who may receive IT helpdesk calls should be trained to independently verify caller identity through a known, internal callback number before following any instructions.
- Restrict RMM tool installation: Prevent employees from installing remote access tools (AnyDesk, Zoho Assist, Bomgar) without explicit IT authorization. Block known RMM agent domains and installation packages at the proxy level.
- MFA on document repositories: Enforce multi-factor authentication on iManage, SharePoint, and other document management systems. Monitor for unusual bulk download activity.
- Block phishing domains at DNS: UNC3753 uses patterns like
organization-itdesk.comandorganization-helpdesk.com. Deploy DNS filtering that blocks lookalike domains matching this pattern. - Disable USB storage: Enforce USB port restrictions across all endpoints and BYOD systems to block the physical data theft vector.
- Physical security controls: Implement strict visitor identification and mandatory escort policies for any individual claiming to be IT technicians. Log all physical access by external personnel.
- Outbound transfer monitoring: Configure real-time alerts for bulk data transfers in document platforms and monitor SSH/cloud storage egress for unusual spikes.
UNC3753 has been active since at least March 2022 and continues to evolve its tactics, adding physical intrusion and increasingly rapid extortion timelines. Law firms and professional services organizations should treat this group as a persistent, high-priority threat.
Source: Cyber Security News, June 8, 2026