You expect phishing emails. You train your team to spot suspicious links. But what happens when the attacker calls you directly and sounds exactly like your IT help desk?
That’s the new reality uncovered by Google Mandiant and the Google Threat Intelligence Group (GTIG). Between January and May 2026, a financially motivated data theft extortion campaign hit dozens of organizations across the U.S. professional, legal, and financial services sectors.
The culprit? A threat actor tracked as UNC3753. You might also know them as Chatty Spider, Luna Moth, or the Silent Ransom Group (SRG).
Here’s what makes this data theft extortion campaign different. No malicious attachments. No urgent “click here” emails. Instead, UNC3753 uses old-fashioned phone calls combined with clever deception to waltz right past your firewalls and multi-factor authentication.
The Voice on the Line Is a Hacker
It starts with a benign-looking email. An invoice. A data migration notice. Nothing suspicious, no links, no malware. Just a short message designed to raise a tiny flag in the target’s mind.
Then the phone rings.
The hacker tricks the victim into starting a screen share session with him using tools like Zoom, Teams, AnyDesk, or Zoho Assist as T/IT support person under pretext (i.e., a legitimated prefix) then sends instructions through privnote.com (self-destroy) which allows them access shortly thereafter.
Once connected, the individual begins the data theft and extortion operation immediately. To do this, the hacker first looks for valuable files, either by searching for them by himself or by convincing the victim to go and find them.
The type of data that will be stolen generally includes the following types of files:
1. Proprietary agreements
2. PII (Personal Identifiable Information)
3. Financial Documents such as Bank Statements
4. Tax Documents, Social Security Number(s), etc.
5. Strategic merger and acquisition plans.
When Remote Isn’t Enough: Physical Intrusions
Here’s where it gets even more unsettling. In some cases, UNC3753 doesn’t just call. They show up in person.
The FBI issued an advisory last month warning that SRG actors now pose as IT technicians to enter corporate offices. Once inside, they plug a USB drive into a victim’s computer and walk out with gigabytes of sensitive data.
Think about that. A data theft extortion campaign that blends vishing, remote access, and physical infiltration. It’s not just clever. It’s terrifyingly effective.
From First Call to Extortion in Under 24 Hours
Speed defines UNC3753. Google’s incident response teams have documented the entire operation from initial phone contact to extortion email, happening within a single business day.
Data searches, staging, and theft occur in under an hour. The attackers use WinSCP or Rclone to move files, or simply email stolen data from the victim’s own mailbox.
The A Demand for Payment, once a person is identified as a victim, they receive an extortion email with a terroristic three-day deadline.
If a victim does not respond within 72 hours, UNC3753 will:
1. Contact all of the victim's employees and clients via telephone or email
2. Post all of the stolen data on LEAKEDDATA leak site
As of June 2026, that leak site listed nearly 100 victim organizations.
Why Legal and Financial Firms Are Prime Targets
This data theft extortion campaign focuses heavily on legal and financial services and for good reason.
These firms store concentrated repositories of:
1. Client trade secrets
2. Corporate regulatory reports
3. Merger documents
4. Sensitive transaction files
As Google’s report notes, legal entities face heavy reputational and regulatory exposure. Many are willing to pay quietly to protect their standing. That makes them perfect targets.
UNC3753 is not exploiting technical vulnerabilities to compromise systems but rather is exploiting the human component of the organization through voice-based social engineering efforts that circumvents defense in-depth technical controls/security solutions, and MFA.
The Infrastructure Behind the Attacks
Resecurity recently uncovered the technical backbone of this data theft extortion campaign. The attackers use a DNS Fast Flux network spread across 18 countries and 22 ISPs, all residential or mobile IPs, no datacenters.
Two key domains power the operation:
1. business-data-leaks[.]com – the public leak site
2. ep6pheij[.]com – staging stolen data per victim
By constantly changing DNS records with short Time-To-Live (TTL) values, UNC3753 makes takedowns nearly impossible. Block one IP, and the botnet routes through another residential connection in a different country.
A Legacy of Conti and Callback Phishing
UNC3753 isn’t new to the game. Google notes tactical overlaps with UNC2686, a threat cluster known for BazarCall-style campaigns back in 2021. Both groups are considered offshoots of the now-defunct Conti ransomware gang.
Early campaigns used subscription cancellation lures to trick victims into calling back. Today’s version is more direct and more dangerous.
Although UNC3753 has deployed LockBit Black ransomware in the past, they’ve focused purely on extortion since 2022. No encryption. No recovery. Just theft and threats.
How to Protect Your Organization
Defending against this data theft extortion campaign requires a shift in mindset. Technical controls alone won’t stop voice-led attacks.
Here’s what actually helps:
1. Confirm before trusting. If a person identifies himself/herself as being in IT over the telephone, hang up and use the official company help desk number to call for verification of the request.
2. Provide training for employees about phone scams. Practice with employees through role playing during the security awareness training of phone scams.
3. Limit access to any unauthorized tools for remote access. Unless previously approved, employees are prohibited from using any unauthorized remote monitoring management software (software that allows remote assistance) on their computers.
4. Monitor for unusual activity on Screen Sharing Software. It is particularly crucial to monitor for unusual usage if an employee is sending an invitation for screen sharing software across the Internet from their personal computer while using their company’s VDI.
5. In order for an employee to receive support from a physical IT Support employee, they must have a valid ID badge to enter the location of IT Support.
Conclusion
The data theft extortion campaign led by UNC3753 proves that cybersecurity isn’t just about technology anymore. It’s about trust, psychology, and the simple act of answering a phone call.
Attackers don’t need to break your encryption. They just need to convince one employee to share their screen. In under an hour, your firm’s most sensitive client data could be on its way to a leak site.
Stay skeptical. Verify everything. And remember: the helpful “IT technician” on the phone might be the most dangerous person you talk to today.
FAQ Section
What is UNC3753?
UNC3753 is a financially-motivated APT actor known collectively as Chatty Spider, Luna Moth, and Silent Ransom Group (SRG). They target victims via phishing via voice and social engineering to illegally acquire sensitive information for extortion purposes.
How is the extortion campaign using stolen data carried out?
The campaign begins when the victim receives an innocuous email. The attacker then calls the victim posing as the IT department and convinces them to install remote access software. The attacker steals confidential data after gaining access to the user’s computer and demands a ransom.
What industries have been targeted most frequently?
The three primary industries that have had the most breaches from UNC3753 are professional services, law firms and financial services, all of which manage vast amounts of sensitive information for their clients, as well as trade secrets and regulatory filings.
Has UNC3753 used Ransomware?
Yes, UNC3753 has previously deployed LockBit Black ransomware, however, in 2022 they have stopped using Ransomware as an attack method and only focus on extortion.
Will MFA protect against being a victim of this type of attack?
MFA will not stop the victim of voice phishing attacks or social engineering from UNC3753 since the attackers use various techniques to trick victims into giving them access to their systems directly, they are able to circumvent MFA completely.
