A data-theft and extortion group has been actively targeting banks, law firms, and other professional services in the United States from January to May 2026. According to Google’s Mandiant incident response team, this group employs a combination of social engineering techniques, including fake help desk calls, to gain access to corporate IT environments. When these online methods fail, the criminals have resorted to visiting victims’ physical offices, posing as IT technicians and attempting to steal sensitive data using USB drives.
Criminal Tactics and Targeting
The group, tracked by Google as UNC3753, has also been referred to as Luna Moth, Chatty Spider, and Silent Ransom Group. Since its emergence in 2022, the group initially relied on fake software renewal emails to lure victims. However, starting in March 2025, they shifted to impersonating IT help desk personnel.
In a recent blog post, Mandiant’s threat analysts noted that the group has been confirmed to physically enter law firms’ offices, claiming to be IT support staff. Once inside, they often use USB drives to extract sensitive files directly from victims’ computers. This tactic has been corroborated by a May alert from the FBI.
Rapid Operations and Data Exfiltration
The operations conducted by UNC3753 are notably swift. Mandiant has observed that the entire process, from initial contact to data theft, can occur within a single day. In some instances, data searches and theft have been initiated in under an hour.
The group typically begins its attacks with an invoice-themed email, which lacks malicious links or attachments but serves to establish credibility for subsequent phone calls. During these calls, they convince employees to join screen-sharing sessions via platforms like Zoom or Microsoft Teams, allowing the attackers to access corporate systems.
Methods of Data Theft
Once inside the corporate network, the intruders map local directories and target sensitive data, including tax documents and client agreements. They employ various methods to exfiltrate this data without triggering security alarms, such as using portable versions of file management tools like WinSCP or Rclone. They may also instruct victims to send files to an attacker-controlled email address.
Following the data theft, the group typically sends an extortion email within 30 minutes, demanding a response within three days to negotiate a financial settlement. The email threatens to publish stolen data and damage the victim’s reputation if their demands are not met.
Recommendations for Organizations
To mitigate the risk of falling victim to such attacks, organizations are advised to implement stringent visitor protocols, including verifying credentials and monitoring access. Additionally, companies should enforce remote access policies to restrict authentication to corporate-owned devices and block unauthorized remote support tools.
While the exact number of targeted firms remains undisclosed, the tactics employed by UNC3753 highlight the evolving nature of cyber threats and the importance of robust security measures.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
