UNC3753 Attacks US Law Firms via V Attacking Using

A sophisticated cybercriminal group, known as UNC3753, has been actively targeting US law firms since early 2026. This aggressive campaign, detailed in a The group is also tracked as Luna Moth, Chatty Spider, and Silent Ransom Group, and has been active since at least March 2022. Their latest wave ran from January through May 2026 and hit dozens of organizations across legal, professional, and financial services sectors.

What makes this campaign alarming is how fast it moves. In many cases, attackers went from the first phone call to actual data theft within a single business day. In some incidents, searching, staging, and exfiltrating files was completed in under an hour.

The group does not rely on traditional malware but targets people directly through convincing voice calls.

Analysts at Google Cloud said in a report shared with Cyber Security News (CSN) that UNC3753 starts attacks with simple, invoice-themed emails sent from consumer accounts.

These messages carry no links or attachments. Their only purpose is to plant concern in the recipient’s mind, making them more likely to answer a follow-up call from someone posing as IT helpdesk staff.

Law firms hold highly sensitive information including merger plans, client files, trade secrets, and regulatory reports. Attackers know that firms facing reputational pressure may choose to pay quietly rather than risk public exposure. That calculation drives the entire extortion model.

The extortion phase begins almost immediately after theft. Within 30 minutes of exiting a victim’s environment, the group sends a threatening email demanding a response within three days.

If ignored, they threaten to contact employees, clients, and the media, and publish stolen files on a data leak site called LEAKEDDATA.

UNC3753 Attacking US Law Firms

The group’s entry method relies on impersonating corporate IT support staff. Attackers look up publicly listed employee details on company websites, then call those individuals directly.

During the call, they claim to address a security issue or assist with a data migration project, building trust before directing the victim into a screen-sharing session.

Once screen sharing is active, the attacker guides the victim into downloading remote access tools. UNC3753 has used AnyDesk, Bomgar, Zoho Assist, and a SuperOps RMM agent in separate engagements.

To avoid leaving traces, they deliver installation links through Privnote, a self-destructing text tool that erases messages once read.

In several cases, attackers accessed corporate virtual desktop environments through BYOD laptops using Windows 365 or Citrix clients.

From there, they searched systems like iManage for tax records, Social Security numbers, and legal agreements, then staged files in the Downloads folder before exfiltrating.

Organizations should train staff to verify IT calls independently, restrict remote access tool installation, and enforce MFA on document repositories.

Data Exfiltration and Physical Intrusion

Once files are staged, UNC3753 moves them through several methods. They have used portable WinSCP and Rclone for bulk transfers, or logged directly into cloud storage within the victim’s browser.

In one incident, the group moved 1.7 gigabytes to a Google Drive account before pivoting to a VDI session and exfiltrating an additional 14.4 gigabytes using WinSCP.

Beyond digital attacks, individuals tied to UNC3753 have physically entered corporate offices posing as IT technicians, a tactic corroborated by an FBI Cyber FLASH Alert.

These actors claim to image devices and copy data to USB drives before leaving. Disabling USB storage across all endpoints and BYOD systems is a critical control to block this physical threat.

Organizations should monitor SSH traffic and outbound transfers for unusual spikes, and configure real-time alerts in document platforms for mass downloads.

Phishing domains used by this group follow patterns like organization-itdesk.com and organization-helpdesk.com, which can be blocked at the DNS level. Physical visitor verification, including ID logging and mandatory escort of technical personnel, must be enforced without exception.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.