UNC3753 Used Vishing and Physical Intrusions in U.S. Data Theft Extortion Campaign

Cybersecurity researchers have disclosed details of a financially motivated data theft extortion campaign that has targeted dozens of organizations across professional, legal, and financial services in the U.S. between January and May 2026. The activity has been attributed by Google Mandiant and Google Threat Intelligence Group (GTIG) to a threat actor dubbed UNC3753, which is also known as

According to Mandiant/GTIG reporting, UNC3753 (aka Silent Ransom Group, Luna Moth, Chatty Spider) is conducting a financially motivated extortion campaign against U.S. professional, legal, and financial services organizations using voice phishing, remote monitoring and management (RMM) tools, and in some cases physical office intrusions to rapidly exfiltrate sensitive client data, often within a single business day.[1][5] The campaign relies on social engineering to impersonate IT staff, guide users into screen-sharing sessions, install commercial RMM agents, pivot into VDI environments, and move data to attacker-controlled cloud storage or removable media, followed by aggressive extortion threats to leak data publicly.[1][2][3] From a CyberSE.AI perspective, any AI-enabled workflows, legal-tech platforms, or financial analytics tools integrated into these environments are at elevated risk of silent data leakage and downstream model contamination if attackers gain RMM-based or physical access, because AI systems tend to aggregate highly sensitive multi-tenant data. Organizations should use an AI Security Readiness Assessment to map where AI systems intersect with VDI, RMM access, a