EXECUTIVE SUMMARY
The campaign is attributed to the UNC3753 threat cluster, also referenced as Luna Moth, Chatty Spider, and Silent Ransom Group. It is a financially motivated data‑theft and extortion operation focused on professional services, especially U.S. law firms, as well as financial and consulting firms. Actors employ social engineering to gain remote access, then harvest privileged client agreements, personally identifiable information, and financial records. Their ultimate objective is to pressure victims into paying ransom by threatening public disclosure and regulatory fallout. The group operates primarily in the United States, targeting high‑value legal practices.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
The campaign is attributed to the UNC3753 threat cluster, also referenced as Luna Moth, Chatty Spider, and Silent Ransom Group. It is a financially motivated data‑theft and extortion operation focused on professional services, especially U.S. law firms, as well as financial and consulting firms. Actors employ social engineering to gain remote access, then harvest privileged client agreements, personally identifiable information, and financial records. Their ultimate objective is to pressure victims into paying ransom by threatening public disclosure and regulatory fallout. The group operates primarily in the United States, targeting high‑value legal practices.[emaillocker id="1283"]
UNC3753 initiates intrusion through a two‑step social‑engineering chain. A benign‑looking invoice email establishes contact, followed by a vishing call in which the actor pretends to be internal IT support and persuades the target to launch a screen‑sharing session. Victims are instructed to download legitimate‑appearing remote‑monitoring or support utilities, which the attackers then use to enumerate file shares, conduct keyword searches, and stage sensitive documents in local folders. Exfiltration occurs via cloud‑storage uploads, FTP clients, or direct browser‑based transfers to consumer accounts, while the remote tools provide ongoing command and control.
The threat is significant because legal firms store confidential client contracts, merger data, and regulated personal information that, if exposed, can trigger lawsuits, regulatory penalties, and irreparable reputation damage. The reliance on trusted remote‑support applications and the possibility of in‑person USB theft make detection difficult, as traditional email filters and endpoint antivirus often miss the benign installers. Organizations should enforce strict application control, require multi‑factor authentication for all remote access, and monitor for unusual file‑staging activity. Regular backups, network segmentation, and employee training on vishing techniques complete a layered defence that limits both digital and physical breach vectors.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1566.003 | Phishing | Spearphishing via Service |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Execution | T1059.003 | Command and Scripting Interpreter | Windows Command Shell |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Defense Evasion | T1070.001 | Indicator Removal | Clear Windows Event Logs |
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/unc3753-uses-screen-sharing-sessions-and-rmm-tools/
https://cloud.google.com/blog/topics/threat-intelligence/targeted-campaign-us-law-firms/