Silent Ransom Group Escalates Data Theft Campaign Against US Law Firms — Combining Vishing, IT Impersonation, and Physical Office Intrusions to Exfiltrate and Extort Within 30 Minutes

Google's Mandiant division has attributed a sustained data theft and extortion campaign targeting US legal, professional, and financial services firms to UNC3753, a financially motivated threat cluster associated with the Silent Ransom group, also tracked as Luna Moth and Chatty Spider. Between January and May 2026, the group targeted dozens of organizations using a combination of voice phishing, social engineering, and legitimate remote access tools — with some intrusions progressing from initial contact to data exfiltration and ransom demands in under an hour.

The attack chain begins with a benign invoice-themed email sent to the target. The email contains no malicious attachments or links — it exists solely as a pretext for a follow-up voice call. The attacker then contacts the recipient by phone, posing as a member of the victim organization's internal IT help desk or security support team. Under the guise of addressing a security issue or assisting with a corporate data migration project, the caller builds trust and directs the target to join a screen-sharing session via Zoom, Microsoft Teams, or similar platforms.

Once in the session, UNC3753 actors attempt to establish persistent access by convincing the victim to download remote monitoring and management tools such as AnyDesk or Zoho Assist. Mandiant also observed the group abusing bring-your-own-device remote work setups, initiating Zoom sessions on targets' personal devices and then pivoting through those endpoints to access enterprise virtual desktop infrastructure via Windows 365 and Citrix clients.

What distinguishes this campaign is the physical component. In some incidents, UNC3753 operatives posed as IT staff and gained physical access to corporate offices to attempt direct data theft from endpoint devices. The FBI issued a warning last month about members of the group personally arriving at victim office locations, claiming they needed to reimage a system, and inserting USB devices to exfiltrate data directly.

Once on a system, the attackers work rapidly. They enumerate infected devices, map local and network drives, and identify sensitive document repositories. The group leverages built-in search capabilities in enterprise platforms such as iManage to locate and stage high-value files including tax records, client agreements, and personally identifiable information. Exfiltration occurs through multiple channels — portable file transfer tools like WinSCP and Rclone, direct uploads to attacker-controlled cloud storage through the victim's browser, and in some cases, manipulating victims into dragging and dropping staged files into cloud folders during active screen-sharing sessions.

Often within 30 minutes of successful exfiltration, UNC3753 contacts the victim with an aggressive extortion demand and a three-day deadline. The threat includes notification of employees, partners, and customers about the data theft, followed by public disclosure. The extortion messaging is designed to maximize pressure on legal and financial firms where reputational damage carries existential consequences.

Mandiant observed the group compressing its operational timeline significantly over the course of the campaign. Early intrusions moved from initial contact to data theft and extortion within a day. More recent incidents completed the entire cycle — compromise, exfiltration, and ransom demand — in under an hour.

The Bigger Picture

UNC3753 represents a shift in extortion operations away from ransomware deployment toward pure data theft and social engineering. There is no encryption, no malware payload, and no technical exploit in the initial access chain — just a phone call and a convincing voice. Law firms and financial services organizations should brief staff on vishing threats tied to UNC3753's specific tactics, enforce conditional access policies for remote access, restrict the use of unauthorized RMM tools and screen-sharing applications, and treat any unsolicited IT support contact — whether by phone or in person — as a potential social engineering attempt.