Cybersecurity researchers have uncovered a large-scale data theft and extortion operation targeting professional services, law firms, and financial organizations across the United States.
The campaign has been attributed to a financially motivated threat actor known as UNC3753, also tracked as Chatty Spider, Luna Moth, and the Silent Ransom Group (SRG). According to researchers from Google Mandiant and the Google Threat Intelligence Group (GTIG), the attackers have successfully compromised dozens of organizations between January and May 2026 using sophisticated social engineering tactics rather than traditional malware.
Voice Phishing at the Center of the Attacks
Unlike many ransomware groups that rely on exploits or malicious attachments, UNC3753 primarily uses voice phishing (vishing) and human deception to gain access to corporate environments.
The attacks often begin with seemingly harmless invoice-related or business-themed emails sent from attacker-controlled consumer email accounts. These messages typically contain no malicious links or attachments. Instead, they are designed to create concern and encourage victims to engage with follow-up communications.
Shortly after the email is received, attackers contact employees by phone while impersonating internal IT support staff. Common pretexts include:
- Corporate data migration projects
- Security issue remediation
- Account verification requests
- Technical support assistance
Victims are then persuaded to join screen-sharing sessions where attackers guide them into installing legitimate remote access tools.
Legitimate Remote Access Tools Abused
Once trust has been established, UNC3753 convinces victims to install remote monitoring and management (RMM) software, allowing attackers to gain direct access to corporate systems.
Commonly abused tools include:
- AnyDesk
- Bomgar
- SuperOps RMM
- Zoho Assist
Installation instructions are often delivered through self-destructing notes hosted on Privnote, making forensic investigations more difficult.
Researchers say the use of legitimate software helps attackers evade traditional security controls, antivirus solutions, and many endpoint detection systems.
Data Theft Instead of Encryption
Unlike conventional ransomware operations, Silent Ransom Group focuses almost exclusively on data theft and extortion.
After obtaining access, attackers rapidly search for sensitive information, including:
- Legal contracts and agreements
- Financial records
- Tax documentation
- Audit reports
- Client information
- Social Security numbers (SSNs)
- Personally identifiable information (PII)
The threat actors then exfiltrate the data using tools such as WinSCP and Rclone, or by sending files directly from compromised email accounts under their control.
In some cases, attackers manipulate victims into performing parts of the data collection process themselves, reducing the need for overt malicious activity.
Physical Intrusions Mark a Dangerous Escalation
Researchers have also observed a concerning evolution in the group’s tactics.
According to a recent FBI advisory, members of the Silent Ransom Group have begun conducting in-person intrusions, posing as IT technicians to gain access to corporate offices.
Once inside, the attackers reportedly connect removable USB devices or external hard drives to victim systems and copy sensitive data directly.
This tactic significantly increases the threat posed by the group, combining cybercrime techniques with physical infiltration methods.
Accessing Corporate Networks Through Personal Devices
Google’s investigation revealed that attackers sometimes establish Zoom sessions on employees’ personal laptops and use them as a bridge into corporate virtual desktop infrastructure (VDI) environments.
This approach enables the group to:
- Access internal file systems
- Explore mapped network drives
- Enumerate cloud storage locations
- Identify high-value documents
- Harvest confidential client information
By operating through trusted user sessions, the attackers can bypass many traditional network security defenses.
Extortion Demands Arrive Within Hours
One of the most alarming aspects of the campaign is its speed.
Researchers found that many attacks progress from initial contact to data theft and extortion within a single business day.
In some incidents:
- Data discovery begins within minutes of gaining access
- Exfiltration occurs within an hour
- Extortion emails are sent less than 30 minutes after attackers leave the environment
Victims are typically given three days to begin ransom negotiations.
The extortion messages threaten to:
- Publish stolen data online
- Contact employees directly
- Notify customers and business partners
- Expose sensitive information publicly
The group frequently uses its data leak platform to pressure organizations into payment.
Links to the Conti Ransomware Ecosystem
Google researchers believe UNC3753 shares significant operational similarities with another threat cluster known as UNC2686, which previously conducted callback phishing campaigns similar to BazarCall attacks.
Both groups are believed to have emerged from the remnants of the now-defunct Conti ransomware operation.
While earlier campaigns occasionally deployed LockBit Black ransomware, the group has largely shifted toward extortion-only attacks since 2022, avoiding file encryption entirely and focusing on monetizing stolen data.
Legal Firms Remain Prime Targets
Researchers noted that legal services organizations remain particularly attractive targets due to the sensitive information they manage.
Law firms often maintain centralized repositories containing:
- Merger and acquisition documents
- Corporate trade secrets
- Regulatory filings
- Litigation records
- Confidential client communications
The reputational and regulatory risks associated with data exposure make these organizations especially vulnerable to extortion pressure.
Fast-Flux Infrastructure Helps Evade Detection
Separately, cybersecurity firm Resecurity reported that the threat actor is using sophisticated DNS Fast Flux infrastructure to support its operations.
The infrastructure powers domains associated with:
- Data leak operations
- Stolen data staging servers
The Fast Flux network spans multiple regions, including:
- Latin America
- Eastern Europe
- Central Asia
- East Asia
- Middle East and Africa
- Caribbean nations
By continuously rotating DNS records and using short Time-To-Live (TTL) values, the attackers make their infrastructure highly resilient against takedown efforts and domain blocking.
Researchers estimate the network relies on compromised residential and mobile internet connections across 18 countries and 22 internet service providers, making disruption significantly more challenging.
Key Takeaways
The Silent Ransom Group continues to demonstrate how effective social engineering can be against even well-defended organizations.
Rather than relying on malware exploits, the group targets employees directly through voice phishing, remote support scams, and increasingly, physical impersonation tactics.
Organizations should strengthen employee awareness training, verify all IT support requests through trusted channels, restrict unauthorized remote access tools, and closely monitor unusual data access patterns to reduce exposure to these rapidly evolving extortion campaigns.
