CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 08, 2026

UNC3753 Attacking US Law Firms Using Vishing and RMM Tools to Exfiltrate Data

Cybersecurity News Archived Jun 08, 2026 ✓ Full text saved

A sophisticated cybercriminal group known as UNC3753 has been running an aggressive campaign against US law firms since early 2026, using phone calls, screen-sharing tricks, and remote monitoring software to break into corporate systems and steal sensitive files. The group is also tracked as Luna Moth, Chatty Spider, and Silent Ransom Group, and has been […] The post UNC3753 Attacking US Law Firms Using Vishing and RMM Tools to Exfiltrate Data appeared first on Cyber Security News .

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News UNC3753 Attacking US Law Firms Using Vishing and RMM Tools to Exfiltrate Data By Tushar Subhra Dutta June 8, 2026 A sophisticated cybercriminal group known as UNC3753 has been running an aggressive campaign against US law firms since early 2026, using phone calls, screen-sharing tricks, and remote monitoring software to break into corporate systems and steal sensitive files. The group is also tracked as Luna Moth, Chatty Spider, and Silent Ransom Group, and has been active since at least March 2022. Their latest wave ran from January through May 2026 and hit dozens of organizations across legal, professional, and financial services sectors. What makes this campaign alarming is how fast it moves. In many cases, attackers went from the first phone call to actual data theft within a single business day. In some incidents, searching, staging, and exfiltrating files was completed in under an hour. The group does not rely on traditional malware but targets people directly through convincing voice calls. Analysts at Google Cloud said in a report shared with Cyber Security News (CSN) that UNC3753 starts attacks with simple, invoice-themed emails sent from consumer accounts. These messages carry no links or attachments. Their only purpose is to plant concern in the recipient’s mind, making them more likely to answer a follow-up call from someone posing as IT helpdesk staff. Law firms hold highly sensitive information including merger plans, client files, trade secrets, and regulatory reports. Attackers know that firms facing reputational pressure may choose to pay quietly rather than risk public exposure. That calculation drives the entire extortion model. The extortion phase begins almost immediately after theft. Within 30 minutes of exiting a victim’s environment, the group sends a threatening email demanding a response within three days. If ignored, they threaten to contact employees, clients, and the media, and publish stolen files on a data leak site called LEAKEDDATA. UNC3753 Attacking US Law Firms The group’s entry method relies on impersonating corporate IT support staff. Attackers look up publicly listed employee details on company websites, then call those individuals directly. During the call, they claim to address a security issue or assist with a data migration project, building trust before directing the victim into a screen-sharing session. Once screen sharing is active, the attacker guides the victim into downloading remote access tools. UNC3753 has used AnyDesk, Bomgar, Zoho Assist, and a SuperOps RMM agent in separate engagements. To avoid leaving traces, they deliver installation links through Privnote, a self-destructing text tool that erases messages once read. In several cases, attackers accessed corporate virtual desktop environments through BYOD laptops using Windows 365 or Citrix clients. UNC3753 attack lifecycle (Source – Google Cloud) From there, they searched systems like iManage for tax records, Social Security numbers, and legal agreements, then staged files in the Downloads folder before exfiltrating. Organizations should train staff to verify IT calls independently, restrict remote access tool installation, and enforce MFA on document repositories. Data Exfiltration and Physical Intrusion Once files are staged, UNC3753 moves them through several methods. They have used portable WinSCP and Rclone for bulk transfers, or logged directly into cloud storage within the victim’s browser. In one incident, the group moved 1.7 gigabytes to a Google Drive account before pivoting to a VDI session and exfiltrating an additional 14.4 gigabytes using WinSCP. Beyond digital attacks, individuals tied to UNC3753 have physically entered corporate offices posing as IT technicians, a tactic corroborated by an FBI Cyber FLASH Alert. LEAKEDDATA DLS (Source – Google Cloud) These actors claim to image devices and copy data to USB drives before leaving. Disabling USB storage across all endpoints and BYOD systems is a critical control to block this physical threat. Organizations should monitor SSH traffic and outbound transfers for unusual spikes, and configure real-time alerts in document platforms for mass downloads. Phishing domains used by this group follow patterns like organization-itdesk.com and organization-helpdesk.com, which can be blocked at the DNS level. Physical visitor verification, including ID logging and mandatory escort of technical personnel, must be enforced without exception. Indicators of Compromise (IoCs):- Type Indicator Description IPv4 Address 192.236.147.131 UNC3753 actor-controlled IP  IPv4 Address 192.236.147.138 UNC3753 actor-controlled IP  IPv4 Address 193.141.60.212 UNC3753 actor-controlled IP  IPv4 Address 192.236.154.158 UNC3753 actor-controlled IP  IPv4 Address 192.236.146.173 UNC3753 actor-controlled IP  IPv4 Address 174.169.162.62 UNC3753 actor-controlled IP  IPv4 Address 64.94.84.97 UNC3753 actor-controlled IP  Domain Pattern <organization>-itdesk[.]com Vishing/phishing infrastructure domain pattern  Domain Pattern <organization>-it[.]com Vishing/phishing infrastructure domain pattern  Domain Pattern <organization>-helpdesk[.]com Vishing/phishing infrastructure domain pattern  Data Leak Site hxxps[:]//business-data-leaks[.]com UNC3753 victim disclosure platform Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Critical MCP Toolbox Vulnerability Impacts Enterprise Database onnectors TP-Link Router Vulnerability Allows Attackers to Execute Arbitrary System Commands Bots Surpass Humans in Global Web Traffic for the First Time in Internet History Five OpenClaw 0-Days let Attackers to Hijack Trusted AI Agent Access Microsoft MSRC Allegedly Dismissed Dependency Confusion Vulnerability, Claims Researcher Latest News Cyber Security WhatsApp Disrupts NSO-Linked Cyberattack Targeting Users with Pegasus Spyware Chrome Chrome Patches 429 Vulnerabilities Including 22 Critical Ones – Update Now! Cyber Security OWASP Releases AI Security Report to Empower Security Professionals with New Tools Cyber Security News Internet Explorer WebBrowser Control Attack Chain Turns Clicks Into RCE Cyber Security News Multiple VMware Stored XSS Vulnerabilities Allow Attackers to Inject Malicious Scripts
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 08, 2026
    Archived
    Jun 08, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗