From Vishing to Physical Intrusions: The Aggressive New Tactics of the UNC3753 Extortion Group
Table of Contents
The Convergence of Digital and Physical Espionage
For most corporate security teams, the primary threat vector is a perimeter firewall or a suspicious email attachment. However, a sophisticated extortion collective known to Google’s Mandiant as UNC3753—and by other researchers as Luna Moth or the Silent Ransom Group—is proving that the weakest link in a security chain isn’t always a software bug; sometimes, it is a revolving door.
According to a recent report from Mandiant’s incident response team, the group has spent the first half of 2025 targeting dozens of US-based law firms, banks, and professional services companies. While their primary playbook relies on high-pressure social engineering, the group has increasingly pivoted to a daring tactic: physically entering client offices and posing as IT technicians to steal data manually.
The ‘Help Desk’ Playbook
The operation typically begins not with a virus, but with a conversation. The group utilizes a sophisticated vishing (voice-phishing) campaign that mirrors the tactics of other notorious actors like Scattered Spider. Rather than sending a malicious link, the attackers send a benign, invoice-themed email. This establishes a plausible pretext for a follow-up phone call.
Once on the phone, the attackers pose as help desk personnel or security officers, claiming there is an urgent need for a data migration project or a critical security patch. They coerce employees into screen-sharing sessions via Zoom, Microsoft Teams, or Quick Assist. In one documented instance, an attacker maintained a level of trust and persistence that allowed them to jump on five separate calls with a single target over three days.
These sessions often provide a gateway into corporate virtual desktop infrastructure (VDI), such as Citrix or Windows 365. By leveraging a target’s personal laptop as a bridge, UNC3753 can bypass many traditional perimeter defenses, moving straight into the heart of the company’s network.
When Remote Access Fails: The USB Gambit
Perhaps the most alarming discovery in the Mandiant report is the shift toward physical intrusion. When remote deception fails, members of the group have been known to walk directly into a firm’s office. Posing as outsourced IT support, these individuals claim they need to “image a device” or “create local backups” for security reasons.
Once granted physical access to a workstation, they simply plug in a thumb drive and exfiltrate sensitive files the old-fashioned way. While Mandiant notes that the absence of subsequent extortion attempts in some cases makes formal attribution difficult, the structural and timeline overlaps strongly suggest these physical breaches are the work of UNC3753.
Rapid Exfiltration and High-Pressure Extortion
The speed of these attacks is a hallmark of the group’s efficiency. Mandiant researchers observed that in several cases, the window from initial contact to data theft was less than an hour. Once inside the system, the attackers don’t wander; they use precise keyword searches for tax logs (W-2s, 1099s), audit files, and client agreements.
To move data without triggering alarms, the group employs portable, open-source tools like Rclone or WinSCP, or simply instructs the victim to email the files to an attacker-controlled address. The transition from theft to extortion is nearly instantaneous, with ransom demands arriving often within 30 minutes of the intruders exiting the system.
The demands are clinical and menacing. Attackers typically set a three-day deadline, threatening to notify partners and customers or leak documents to journalists to destroy the organization’s reputation and tank share prices. This “double extortion” method—stealing data and then threatening its release—puts professional services firms in a precarious position where the cost of the leak far outweighs the cost of the ransom.
