A cybercriminal syndicate has been targeting law firms and professional service providers in the U.S. since early 2026. This group employs deception to gain unauthorized access to sensitive data, manipulating victims into unwittingly granting them system access.
Identified as UNC3753, the group also goes by aliases like “Luna Moth” and “Silent Ransom Group.” They have been active since March 2022, continuously adapting their strategies to maintain efficacy. Google Cloud’s Threat Intelligence Group highlighted that their attacks often conclude within a business day, with data theft sometimes occurring in less than an hour.
Deceptive Tactics and Quick Execution
The group initiates their attacks with a seemingly harmless invoice email, devoid of malicious content, designed to make recipients susceptible to follow-up calls. Posing as IT helpdesk personnel, the attackers persuade targets to engage in screen-sharing sessions and install remote monitoring tools.
Once access is secured, attackers search for valuable files such as legal agreements and financial records, which they then transfer to their own cloud storage. Following this data theft, victims receive extortion emails threatening public disclosure unless demands are met swiftly.
Exploitation of Remote Management Tools
During the attack, victims are often instructed to use tools like Zoom or Teams for screen sharing, followed by installing software like AnyDesk for continued access. Attackers use self-destructing message services to conceal their tracks, sending commands and download links discreetly.
In documented instances, attackers have exfiltrated vast amounts of data, such as 1.7 gigabytes from a OneDrive account, and in some cases, even more from virtual desktops. The stolen information is threatened with publication on sites like LEAKEDDATA if ransom demands are not met.
Physical Intrusions Enhance the Threat
Beyond digital breaches, UNC3753 has engaged in physical intrusions. Posing as IT technicians, they have accessed corporate offices to extract data using USB drives. This escalation is concerning for companies relying on basic security measures.
Google’s Threat Intelligence Group advises firms to enforce rigorous access policies, including photo ID checks, and to train employees on recognizing such tactics. Digital safeguards should include blocking unauthorized remote tools and setting up alerts for unusual data access patterns.
Maintaining vigilance and updating security protocols are crucial in preventing data breaches of this nature. Organizations are encouraged to stay informed through trusted sources and regularly review their cybersecurity measures.
