Ethical Hacking News
A new breed of cyber thieves has emerged, using social engineering tactics and physical intrusions to extort victims. Google's Mandiant incident response team has been tracking the group, known as UNC3753 or Chatty Spider, which has targeted dozens of banks and law firms in the US since January 2025.
Google's Mandiant incident response team has been tracking a sophisticated cybercrime group known as UNC3753 (Luna Moth or Chatty Spider) that has been evading detection and extorting victims for months. The threat actors have targeted dozens of banks, law firms, and other professional services companies in the US, exploiting legitimate help desk calls to gain access to corporate IT environments. The attackers employed physical intrusions, posing as IT technicians, and used voice-phishing sessions to remotely access victims' computers and gain control over their virtual desktop infrastructure (VDI). Once accessed, UNC3753 would send an extortion email within 30 minutes, threatening to publish stolen data unless a financial solution was reached. To avoid falling victim to these attacks, companies are advised to implement remote access conditional access policies and block unauthorized remote monitoring and support utilities.
Google’s Mandiant incident response team has been tracking a sophisticated cybercrime group known as UNC3753, also referred to as Luna Moth or Chatty Spider. This group has been evading detection and extorting victims for months, using a combination of social engineering tactics and physical intrusions. The threat actors have shown remarkable speed in executing their operations, with some attacks taking place within just one day.
The UNC3753 crew has targeted "dozens" of banks, law firms, and other professional services companies in the US between January and May, exploiting legitimate help desk calls to gain access to corporate IT environments. They would often follow up on these initial calls with voice-phishing sessions, where they would convince employees to join a screen-sharing session via Zoom, Microsoft Teams, or Quick Assist. This allowed them to remotely access the victim's computer and eventually gain control over their virtual desktop infrastructure (VDI).
The attackers also employed physical intrusions, posing as IT technicians and attempting to steal sensitive files using thumb drives. In some cases, they would visit the victims' physical offices, claiming to be there for a legitimate reason such as a software renewal or data migration project.
Mandiant’s threat analysts have been monitoring these attacks, noting that the attackers are very fast in executing their operations. They have observed data searches, staging, and theft initiated in under an hour. The crew has also been known to use portable versions of free Windows file managers like WinSCP or Rclone to sneak sensitive files out of the corporate IT environment.
Once they had accessed the victim's computer, UNC3753 would send an extortion email within 30 minutes, threatening to publish the stolen data unless a financial solution was reached. The emails often contained specific details about the targeted organization, including tax logs, audit files, and Social Security numbers.
To avoid falling victim to these attacks, companies are advised to implement remote access conditional access policies, ensuring only corporate-owned devices can authenticate to any VDIs or VPNs. They should also block the installation and execution of unauthorized remote monitoring and support utilities.
In addition, requiring visitors to display official credentials and photo identification at the front desk, and mandating that pre-scheduled work orders be checked before granting access, can help prevent physical intrusions. The security team should also ensure that any visiting technical service workers are always accompanied by a corporate in-office supervisor.
Google has been tracking these attacks since January 2025, and has identified several phishing domains used by the attackers to look like legitimate help desk emails for the targeted organization. These domains include -itdesk[.]com, -it[.]com, and -helpdesk[.]com.
The use of such sophisticated tactics by UNC3753 highlights the evolving nature of cyber threats. As cybersecurity measures become more advanced, attackers are adapting to stay one step ahead. It is essential for companies to remain vigilant and implement robust security protocols to protect themselves against these types of attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/A-New-Breed-of-Cyber-Thieves-The-Silent-Ransom-Groups-Daring-Heists-ehn.shtml
https://www.theregister.com/cyber-crime/2026/06/05/if-you-dont-fall-for-these-extortionists-calls-theyll-show-up-with-usb-sticks/5251891
Published: Fri Jun 5 16:41:13 2026 by llama3.2 3B Q4_K_M
