<div class="block-paragraph_advanced"><p>Written by: Chad Reams, Tufail Ahmed, Keith Knapp, Ashley Frazer, Tyler McLellan</p> <hr/></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Introduction</span><strong style="vertical-align: baseline;"> </strong></h3> <p><span style="vertical-align: baseline;">From January through May 2026, Mandiant identified a financially motivated data theft extortion campaign executed by the threat cluster UNC3753 (also tracked as "Luna Moth," “Chatty Spider,” and "Silent Ransom Group") targeting dozens of organizations across professional, legal, and financial services in the United States.</span></p> <p><span style="vertical-align: baseline;">UNC3753 leverages voice phishing (vishing) and social engineering deception techniques to achieve remote access into corporate environments. Using pretexts such as data migration or invoice related emails, the threat actors initiate phone conversations posing as IT support and convince targets to host screen-sharing sessions and download remote monitoring and management (RMM) utilities. Once inside the environment, the threat actors either directly conduct searches to locate and exfiltrate highly sensitive data, or manipulate the victim into executing these actions on their behalf. This data typically includes proprietary legal agreements, personally identifiable information (PII), and financial records for subsequent extortion demands.</span></p> <p><span style="vertical-align: baseline;">Notably, in instances possibly linked to UNC3753, threat actors have accessed victims' systems in person. </span><a href="https://www.ic3.gov/CSA/2026/260526.pdf" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">In these physical incidents</span></a><span style="vertical-align: baseline;">, individuals posing as IT technicians entered corporate offices to attempt direct exfiltration of data from an endpoint using USB storage m

Read Full Article at Mandiant Blog →