If you don't fall for these extortionists' calls, they'll show up with USB sticks

Jump to main content

Search

REG AD

cyber-crime

If you don't fall for these extortionists' calls, they'll show up with USB sticks

When 'Chatty Spider' morphs into tech services cosplay spider

Jessica Lyons

Jessica<br>Lyons

Published<br>fri 5 Jun 2026 // 22:18 UTC

If they don't get you online, they'll try in person. A data-theft and extortion gang has targeted “dozens” of banks, law firms, and other professional services companies in the US from January through May, using fake help desk calls and other social-engineering techniques to gain access to corporate IT environments, according to Google’s Mandiant incident response team.<br>And when those remote-deception methods don’t work, the criminals sometimes show up at victims’ physical offices, posing as IT technicians, and attempt to steal sensitive files using thumb drives.<br>Google’s threat hunters track the extortion threat group as UNC3753, while other analysts call it Luna Moth, Chatty Spider, and Silent Ransom Group. The crew has been around since 2022, originally using fake software renewal emails and other billing lures, typically with PDF attachments containing phone numbers for attacker-controlled call centers, as their means of gaining initial access to corporate networks.

REG AD

REG AD

Beginning around March 2025, the crims shifted tactics and started posing as IT help desk staff.<br>“While UNC3753 primarily relies on digital vectors, GTIG assesses that associated threat actors have also attempted direct data theft using physical, in person access,” Google incident responders and researchers Chad Reams, Tufail Ahmed, Keith Knapp, Ashley Frazer, and Tyler McLellan said in a Friday blog.<br>The authors also pointed to a May FBI alert to corroborate this in-person tactic.<br>According to the feds, Silent Ransom Group crooks have been walking into law firms’ physical offices as recently as this spring. Once they are on-site, they claim to be IT support staff needing to image a device or create local backups for security reasons. If that line works, they plug a thumb drive into the victim’s computer and steal data the old-fashioned way.<br>“Although limited forensic evidence and the absence of a subsequent extortion attempt prevent formal attribution, GTIG assesses that these physical intrusions are likely associated with UNC3753 based on structural, timeline, and targeting overlaps,” the blog said.<br>Google won’t say how many dozens of firms have been targeted in these attacks, or how many ended in the data thieves paying a visit to the victims’ locations.<br>“While we can’t share additional details regarding specific investigations, Mandiant CTO Charles Carmakal notes that this tactic has been observed over the years,” a spokesperson told The Register. “Mandiant has investigated various matters where adversaries planted insiders, bribed employees, or physically entered buildings to facilitate cyberattacks.”<br>Another noteworthy thing about UNC3753’s attacks: they are very fast. In many of Mandiant’s investigated incidents, the entire operation from initial contact to data extortion occurred in just one day. “Recently, Mandiant observed data searches, staging, and theft initiated in under an hour,” the threat analysts warned.

REG AD

These intrusions typically begin with an invoice-themed email - but these don’t usually contain any malicious links or attachments. The email’s sole purpose is to give the miscreants a plausible reason to follow up via phone, so that the recipient is more likely to believe the call is legitimate.<br>Most of the crew’s entry mechanisms involve voice-phishing, using a method that has worked so well for other groups like ShinyHunters and Scattered Spider over the past few years.<br>UNC3753 calls organizations’ employees directly and purports to be a help desk worker or member of the security team. The criminals say they need the target’s help addressing a security issue or aiding with a corporate data migration project, and convince the individual to join a screen-sharing session via Zoom, Microsoft Terminal Services, Microsoft Teams, or Quick Assist.<br>In one such intrusion, using Teams to gain access to the victim’s computer, the attacker jumped on five separate calls with the same target over a three-day period, we’re told.

Mandiant has investigated various matters where adversaries planted insiders, bribed employees, or physically entered buildings to facilitate cyberattacks

And in more than one incident that Mandiant responded to, UNC3753 established Zoom sessions directly on targets' personal laptops, using these machines to access corporate virtual desktop infrastructure (VDI) using native client platforms, such as Windows 365 or Citrix clients.<br>Once they’re in the corporate systems, the intruders map local directories and network drives, and target specific legal and document storage repositories. The crooks also use very-specific keyword searches to find...