UNC3753 Campaign Leverages Vishing and Social Engineering to Target US Law Firms
Mandiant reports on UNC3753, a threat actor using voice phishing and social engineering to steal sensitive data from US law firms, often completing intrusions within a single business day.
Mandiant has identified a financially motivated data theft and extortion campaign, attributed to the threat cluster UNC3753 (also known as Luna Moth, Chatty Spider, and Silent Ransom Group), which has targeted dozens of organizations across the professional, legal, and financial services sectors in the United States between January and May 2026. The campaign's primary modus operandi involves leveraging voice phishing (vishing) and sophisticated social engineering tactics to gain initial remote access into victim networks. Threat actors pose as IT support personnel, using pretexts such as data migration or invoice-related emails to convince targets to initiate screen-sharing sessions and download remote monitoring and management (RMM) utilities.
Once inside a compromised environment, UNC3753 actors focus on locating and exfiltrating highly sensitive data, including proprietary legal agreements, personally identifiable information (PII), and financial records, which are then used for subsequent extortion demands. In some instances, threat actors have also gained physical access to victim systems by posing as IT technicians and attempting direct data exfiltration using USB storage media. This dual approach, combining remote social engineering with potential physical infiltration, underscores the multifaceted nature of the threat.
The UNC3753 campaign demonstrates an optimized, fast-tempo operational model, with Mandiant observing entire attack sequences—from initial contact to data theft and extortion—occurring within a single business day. In recent cases, data searches, staging, and theft were initiated in under an hour. The campaign often begins with benign, invoice-themed email lures sent from actor-controlled consumer email accounts. These emails lack malicious links or attachments, serving primarily as a pretext to raise internal security concerns among targets, making them more susceptible to follow-up phone calls.
The core of UNC3753's initial access strategy relies heavily on targeted vishing. Threat actors harvest phone numbers and email addresses from publicly available sources, such as organization websites, and then impersonate internal IT helpdesk or security team members. They place direct calls to employees, employing various verbal instructions to guide target behavior. Under the guise of addressing a security issue or assisting with a corporate data migration, they build trust and direct the target to join a screen-sharing session, effectively bypassing conventional automated security controls.
During screen-sharing sessions, UNC3753 instructs targets to download and execute legitimate screen-sharing applications like Zoom, Microsoft Teams, and Quick Assist, or commercial RMM agents such as AnyDesk, Bomgar, or Zoho Assist. In one observed instance, a threat actor attempted to install a "SuperOps RMM agent" by convincing the target to download and execute a payload via a cURL command. The threat actors consistently utilize Privnote, a web-based, self-destructing text utility, to transmit installation links and commands, ensuring that these vectors leave no permanent footprint on endpoint browsers or chat logs.
Intrusions have also leveraged Bring Your Own Device (BYOD) remote environments to access internal enterprise assets. UNC3753 has established Zoom sessions directly on targets' personal BYOD endpoints, using these compromised devices to access corporate virtual desktop infrastructure (VDI) through platforms like Windows 365 or Citrix clients. Once VDI access is secured, the threat actors pivot to corporate file systems, enumerating directories, targeting specific legal and document storage repositories, and using keyword searches within systems like iManage to locate and stage sensitive files, including tax logs, audit files, and client agreements.
The exfiltration process involves compiling and sorting staged results within user-accessible subdirectories, primarily in the Downloads folder or native Roaming profile path. This detailed understanding of UNC3753's technical lifecycle, including their innovative use of social engineering and legitimate tools, highlights the persistent threat to organizations relying on human-centric processes for security and operations. Mandiant provides actionable recommendations to safeguard endpoints and infrastructure against such sophisticated attacks.