The cybercrime group UNC3753 has launched a series of intricate attacks against US law firms since early 2026. These assaults involve vishing, or voice phishing, alongside remote monitoring tools to infiltrate corporate systems and exfiltrate confidential data.
Methods and Operations of UNC3753
Operating under aliases such as Luna Moth and Silent Ransom Group, UNC3753 has been active since March 2022. Their latest series of attacks, spanning January to May 2026, targeted multiple organizations in the legal, professional, and financial sectors. The speed at which these attacks unfold is particularly concerning, with some breaches culminating in data theft within a single business day.
Unlike traditional malware-based attacks, UNC3753 employs direct engagement tactics through deceptive voice calls. This method begins with sending invoice-themed emails that lack links or attachments, designed solely to unsettle recipients and increase the likelihood of them answering subsequent fraudulent calls.
Targeting Law Firms
Law firms, often custodians of sensitive information like client files and trade secrets, are prime targets for UNC3753. The group exploits the reputational risks associated with data breaches to leverage extortion attempts. Following data theft, they swiftly initiate extortion by sending threatening emails demanding compliance within three days, under the threat of public disclosure through platforms like LEAKEDDATA.
The attackers impersonate IT support staff, using publicly available employee information to gain trust. Once engaged, they guide victims into screen-sharing sessions, facilitating the installation of remote access tools like AnyDesk and Zoho Assist.
Preventive Measures and Observations
In response to these attacks, organizations are advised to implement rigorous verification processes for IT communications, restrict remote access tool installations, and ensure multi-factor authentication on sensitive document repositories. Data exfiltration typically involves tools like WinSCP and Rclone, and UNC3753 has been known to physically infiltrate offices, posing as technicians to extract data directly.
Firms should monitor network traffic for anomalies and configure alerts for unusual download patterns. Blocking phishing domains at the DNS level and enforcing visitor verification protocols are also crucial in mitigating these risks.
Conclusion and Future Implications
The ongoing threat from UNC3753 highlights the importance of robust cyber defenses and vigilant monitoring. As this group refines its techniques, law firms and related sectors must remain proactive in enhancing their security measures to protect against such sophisticated attacks.
