Cybersecurity researchers have disclosed details of a financially motivated data theft extortion campaign that has targeted dozens of organizations across professional, legal, and financial services in the U.S. between January and May 2026.
The activity has been attributed by Google Mandiant and Google Threat Intelligence Group (GTIG) to a threat actor dubbed UNC3753, which is also known as Chatty Spider, Luna Moth, and Silent Ransom Group (SRG).
“UNC3753 leverages voice phishing (vishing) and social engineering deception techniques to achieve remote access into corporate environments,” researchers Chad Reams, Tufail Ahmed, Keith Knapp, Ashley Frazer, and Tyler McLellan said.
“Using pretexts such as data migration or invoice-related emails, the threat actors initiate phone conversations posing as IT support and convince targets to host screen-sharing sessions and download remote monitoring and management (RMM) utilities.”
Upon gaining access, the threat actors have been found to either carry out direct searches to locate and exfiltrate files of interest or deceive the victim into carrying out the actions on their behalf. Stolen information includes proprietary legal agreements, personally identifiable information (PII), and financial records.
In some instances, the attackers have accessed victims’ systems in person, echoing an advisory issued by the U.S. Federal Bureau of Investigation (FBI) last month. These physical intrusions involve the threat actors posing as IT technicians to enter corporate offices and attempt to steal data using removable USB media.
“By sending someone in-person to the victim’s location to facilitate the intrusion, SRG actors exfiltrate data to an external hard drive or USB drive inserted by the threat actor into the victim’s computer,” the FBI said of the new escalation in UNC3753’s capabilities.
Google said UNC3753 shares tactical overlaps with UNC2686, a threat cluster previously known for carrying out BazarCall-style campaigns in 2021. Although the group has been observed deploying LockBit Black ransomware in the past, it has mainly focused on extortion-only operations since 2022, pressuring victims to pay up or risk getting their data published on the LEAKEDDATA data leak site.
Both UNC3753 and UNC2686 are assessed to be offshoots of the now-defunct Conti ransomware gang, with early iterations of the campaigns using subscription cancellation lures as part of callback phishing attacks that aim to install remote access software on victims’ machines.
Beginning around March 2025, the hacking crew has impersonated internal corporate IT help desk staff to trick victims into joining a screen-sharing session on enterprise communication platforms like Zoom, Microsoft Teams, or Quick Assist, effectively bypassing traditional security controls.
“The threat group frequently initializes campaigns using benign, invoice-themed email lures sent from actor-controlled consumer email accounts,” Google said. “These…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
