Ethical Hacking News
UNC3753, a sophisticated cybercrime operation, has been linked to dozens of organizations across various industries in the United States between January and May 2026. The group's tactics, which include voice phishing (vishing) and social engineering deception techniques, have allowed them to gain remote access into corporate environments and steal sensitive data. This article provides an in-depth look at the UNC3753 operation and its tactics, highlighting the importance of robust security measures and a sophisticated understanding of human psychology in preventing such attacks.
The UNC3753 group, also known as Chatty Spider or Silent Ransom Group, has been linked to dozens of organizations across the US between Jan-May 2026.The group uses tactics like voice phishing, social engineering, and pretexting to gain remote access into corporate environments.They steal sensitive data, including proprietary agreements, PII, and financial records, and may even access systems in person.The group's tactics share similarities with the now-defunct Conti ransomware gang, but they have focused on extortion-only operations since 2022.The attackers impersonate IT help desk staff to trick victims into joining screen-sharing sessions or installing remote access software.The group uses subscription cancellation lures and benign email lures to initiate campaigns and establish a pretext for their actions.They attempt to establish a persistent foothold by guiding victims to install legitimate remote desktop software.The captured data is sent to the threat actors via WinSCP or Rclone, or to email addresses controlled by the actor from the target's mailbox.The attackers threaten to publish stolen information on a data leak site unless the victim pays an extortion demand within three days.The group operates with a fast-tempo model, initiating operations in under an hour and targeting high-value targets like legal services firms.
In recent months, a highly sophisticated cybercrime operation has come to light, attributed to a threat actor known as UNC3753. This group, also referred to as Chatty Spider, Luna Moth, or Silent Ransom Group (SRG), has been linked to dozens of organizations across various industries in the United States between January and May 2026. The group's tactics, which include voice phishing (vishing) and social engineering deception techniques, have allowed them to gain remote access into corporate environments, resulting in the theft of sensitive data.
The threat actors behind UNC3753 have been found to use pretexts such as data migration or invoice-related emails to initiate phone conversations with their targets. They pose as IT support and convince the victims to host screen-sharing sessions and download remote monitoring and management (RMM) utilities. Once inside, the attackers either carry out direct searches to locate and exfiltrate files of interest or deceive the victim into carrying out actions on their behalf.
The stolen information includes proprietary legal agreements, personally identifiable information (PII), and financial records. In some instances, the attackers have accessed victims' systems in person, posing as IT technicians to enter corporate offices and attempt to steal data using removable USB media. The FBI has issued an advisory warning of these physical intrusions, which involve the threat actors exfiltrating data to an external hard drive or USB drive inserted by the threat actor into the victim's computer.
The group's tactics share tactical overlaps with UNC2686, a threat cluster previously known for carrying out BazarCall-style campaigns in 2021. Although UNC3753 has mainly focused on extortion-only operations since 2022, it is believed to be an offshoot of the now-defunct Conti ransomware gang. The group's use of subscription cancellation lures as part of callback phishing attacks, which aim to install remote access software on victims' machines, is also consistent with early iterations of these campaigns.
The threat actors behind UNC3753 have been observed impersonating internal corporate IT help desk staff to trick victims into joining a screen-sharing session on enterprise communication platforms like Zoom, Microsoft Teams, or Quick Assist under the guise of addressing a security issue helping with a corporate data migration project. They frequently initialize campaigns using benign, invoice-themed email lures sent from actor-controlled consumer email accounts. These messages contain no active links or malicious attachments but serve to establish a pretext, raising the target's internal security concerns and making them more susceptible to follow-up voice calls.
Once a session is established, the attackers attempt to establish a persistent foothold by guiding the victims to install legitimate remote desktop software like AnyDesk, Bomgar, SuperOps RMM, or Zoho Assist. Instructions to install these programs are shared via a legitimate service called privnote[.]com, which allows users to send notes that self-destruct after being read by the recipient.
The group has also been observed establishing Zoom sessions directly on targets' personal laptops to access corporate virtual desktop infrastructure (VDI) and burrow deeper into corporate file systems. Their goal is to enumerate local and cloud directories, crawl mapped network drives, and harvest data from highly sensitive folders, including those related to tax filings, audits, corporate client agreements, and Social Security numbers (SSNs).
In the final stage of their operation, the captured data is sent to the threat actors via WinSCP or Rclone, or to email addresses controlled by the threat actor from the target's mailbox. This is followed by the attackers sending an extortion demand in the form of an email message, typically within 30 minutes of exiting the target environment. The email messages give victims a three-day deadline to initiate ransom negotiations and threaten to call and email target employees and external clients directly to notify them of the data breach should they remain unresponsive. The attackers also warn that they will publish the entire stolen information on the LEAKEDDATA data leak site.
The end-to-end operation from initial contact to data extortion has been found to occur within a single business day in many incidents investigated by Google's threat intelligence and incident response teams. This fast-tempo operational model is exemplified by the fact that the attackers initiate data searches, staging, and theft in under an hour.
Threat groups recognize that legal entities are subject to heavy reputational and regulatory exposure and may be highly motivated to resolve extortion situations quietly to protect their professional standing. The group behind UNC3753 has targeted high-value targets such as legal services firms, which maintain concentrated repositories of extremely sensitive client transaction files, merger and acquisition plans, client trade secrets, and corporate regulatory reports.
The group's use of social engineering deception techniques allows them to easily bypass robust technical perimeters, web security gateways, and MFA configurations. Their tactics also demonstrate a sophisticated understanding of human psychology and the ability to manipulate individuals into taking actions that compromise their organization's security.
The findings of Google Mandiant and Google Threat Intelligence Group (GTIG) have highlighted the growing threat of financially motivated data theft extortion campaigns. These operations often target organizations with sensitive information and are designed to exploit vulnerabilities in both technical and human systems.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Sophisticated-Cybercrime-Operation-Utilizing-Vishing-and-Physical-Intrusions-to-Steal-Sensitive-Data-The-Case-of-UNC3753-ehn.shtml
https://thehackernews.com/2026/06/unc3753-used-vishing-and-physical.html
Published: Wed Jun 10 16:39:42 2026 by llama3.2 3B Q4_K_M
