UNC3753 Hackers Combine Vishing and Physical Intrusions in U.S. Data Theft Spree

Google Mandiant and the Google Threat Intelligence Group (GTIG) have detailed a financially motivated data theft extortion campaign by threat actor UNC3753—also tracked as Chatty Spider, Luna Moth, and Silent Ransom Group (SRG)—that has targeted dozens of professional, legal, and financial services firms across the U.S. between January and May 2026. The group, assessed to be an offshoot of the now-defunct Conti ransomware gang, blends voice phishing (vishing) with physical intrusions to bypass enterprise defenses and exfiltrate sensitive corporate data.

The attack chain begins with a phishing email disguised as a data migration notice or invoice, followed by a phone call from someone impersonating internal IT support. Victims are convinced to join screen-sharing sessions on Zoom, Microsoft Teams, or Quick Assist and download remote monitoring and management (RMM) utilities. Once inside, UNC3753 either conducts direct file searches or manipulates the victim into performing the actions themselves, stealing proprietary legal agreements, personally identifiable information (PII), and financial records. Since March 2025, the group has increasingly impersonated corporate help desk staff to evade traditional email security filters. Organizations concerned about RMM abuse and open remote access ports can audit their perimeter with a port scanner.

In a notable escalation, UNC3753 has conducted in-person intrusions at victim offices, posing as IT technicians to plug USB drives or external hard drives directly into corporate machines—a tactic the FBI warned about in a recent advisory. While the group previously deployed LockBit Black ransomware, it has shifted to extortion-only operations since 2022, threatening to publish stolen data on the LEAKEDDATA data leak site. UNC3753 shares tactical overlap with UNC2686, a cluster tied to BazarCall-style callback phishing in 2021, reinforcing its lineage from the Conti ecosystem. Defenders should also screen inbound traffic for proxy anonymization with a VPN/proxy detector, and review credential exposure using a breach checker, as stolen credentials remain a likely enabler for initial reconnaissance.