UNC3753 Targets US Law Firms with Vishing, RMM Tools, and Physical Break-Ins

Threat cluster UNC3753, widely tracked as Silent Ransom Group or Luna Moth, is actively targeting professional, legal, and financial services in the United States.

According to Mandiant’s Google Threat Intelligence Group (GTIG), this financially motivated campaign leverages a highly effective combination of voice phishing, remote monitoring and management abuse, and unprecedented physical office intrusions.

Attackers execute the entire sequence from initial contact to data exfiltration and extortion within a single business day, occasionally staging data in under an hour.

The campaign initiates with benign, invoice-themed emails sent from actor-controlled consumer accounts to prime the target without using malicious links or payloads.

Attackers then call the victim, impersonating internal IT helpdesk or security personnel using contact information harvested directly from corporate directories, Google said.

Victims are instructed to join a screen-sharing session via Zoom, Microsoft Teams, or Quick Assist, where they are guided to download commercial RMM agents like AnyDesk, Bomgar, Zoho Assist, or SuperOps to establish persistent remote access.

Attackers use self-destructing messages via Privnote to deliver installation links, often executing silent installation commands to minimize endpoint footprints.

Following this initial foothold, threat actors pivot from compromised BYOD endpoints to corporate virtual desktop infrastructure environments using clients such as Windows 365 and Citrix.

Once inside the VDI, UNC3753 enumerates OneDrive folders and mapped network drives. They specifically target iManage document repositories using keyword searches to harvest sensitive client data, including W-2 forms, Social Security numbers, audit records, and legal agreements.

Attackers use tools like WinSCP, Rclone, and direct browser uploads to actor-controlled Google Drive accounts for rapid data theft. In one Mandiant-investigated case, the group transferred 1.7 GB via Google Drive before pivoting to WinSCP to extract an additional 14.4 GB.

The group has recently escalated its tactics beyond digital boundaries. Corroborated by an FBI Cyber FLASH Alert, individuals posing as IT technicians have physically entered corporate offices attempting to steal data directly using USB storage media.

Within 30 minutes of exiting the compromised environment, UNC3753 sends aggressive extortion demands with a strict three-day negotiation window. Failure to comply results in direct harassment of employees and clients, alongside threats to publish the stolen archives on their LEAKEDDATA data leak site.

Note: IP addresses and domains are intentionally defanged (e.g., ) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Legal and professional services firms can defend against these aggressive tactics by implementing strict access controls and behavioral monitoring.

Organizations must enforce application control policies, such as Windows Defender Application Control, to block unauthorized RMM binaries.

It is also critical to disable USB read and write access via Group Policy Objects or Mobile Device Management across all corporate and BYOD endpoints.

Furthermore, security teams should require multi-factor authentication on iManage, SharePoint, and corporate VDI entry points, while actively monitoring Port 22 and SSH traffic for high-volume data transfers from internal VDIs utilizing WinSCP or Rclone.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.…Read more by Eswar