UNC3753 Vishing Campaign Targets US Law Firms for Extortion

A Fast-Moving Threat Targets the Legal Sector

Mandiant has detailed an active and aggressive UNC3753 vishing campaign aimed squarely at US law firms and financial services organizations. Running from January through May 2026, the operation has hit dozens of companies. Also known as Luna Moth, Chatty Spider, and Silent Ransom Group, this threat cluster combines phone-based social engineering with legitimate remote access tools to steal sensitive data fast.

It All Starts With a Boring Email

The attack begins deceptively simply. Victims receive a generic invoice-themed email from a personal-looking address, often containing nothing more than a brief message like “hello, here is the invoice we talked about yesterday.” There are no links and no attachments. Instead, according to the report, the primary purpose of these emails is to establish a pretext, raising the target’s internal security concerns so they are more susceptible to follow-up voice calls.

Soon after, the real attack begins. Posing as internal IT helpdesk staff, the threat actors call employees directly, often targeting people whose contact details are publicly listed on company websites.

Screen Sharing Opens the Door

Once trust is established, callers convince targets to start a screen-sharing session using Zoom, Microsoft Teams, Quick Assist, or Terminal Services. In one notable case, the same target received five separate calls over Teams across three days before the attacker succeeded.

From there, UNC3753 pushes victims toward installing commercial RMM software such as AnyDesk, Bomgar, or Zoho Assist. Installation links are frequently shared through privnote.com, a self-destructing note service that leaves minimal trace on browsers or chat logs.

Hunting for Sensitive Files

Once inside, attackers move quickly. They map network drives, browse OneDrive folders, and search iManage repositories using targeted keywords. The goal is finding tax forms, audit records, client agreements, and Social Security numbers, which are then staged in easily accessible folders like Downloads.

Exfiltration happens through several channels. The UNC3753 vishing campaign has used WinSCP, Rclone, browser-based uploads to consumer cloud storage, and even email forwarding to actor-controlled addresses. In one striking case, attackers moved 1.7 gigabytes to Google Drive before pivoting to a virtual desktop and pulling another 14.4 gigabytes via WinSCP.

The Extortion Follows Quickly

Within roughly 30 minutes of exiting a victim’s network, an extortion email typically arrives. These messages threaten to notify employees, clients, and the press, and warn of regulatory fines if the firm doesn’t respond within three days. Stolen data may ultimately surface on the group’s LEAKEDDATA leak site.

Some incidents suggest actors posing as technicians have entered offices in person, attempting to copy data directly to USB drives when remote methods fail.

Defending Against This Threat

Because this campaign relies on social engineering rather than malware exploits, technical controls alone won’t stop it. Organizations should train staff to verify IT helpdesk requests through official channels before joining any screen-sharing session. Restricting which RMM tools can run on corporate devices, monitoring for unusual iManage search activity, and flagging connections to known file-sharing services can all help limit damage if an initial call succeeds.