UNC3753, a cybercrime crew also tracked as Luna Moth or Silent Ransom Group, has been observed stealing legal and financial data from US firms through a combination of voice phishing and malicious USB drops. The group’s activity was detailed in a recent report that highlights their shift from pure social engineering to physical office intrusions when remote tactics fail. SecurityAffairs outlines how the operation begins with bland emails designed to elicit a response.
Following the initial email, attackers place convincing vishing calls posing as IT support staff. They persuade victims to install legitimate remote management utilities such as AnyDesk or TeamViewer, avoiding malware altogether. Once remote access is granted, the intruders navigate the network using built‑of‑the‑land tools and exfiltrate sensitive documents over approved channels. No CVEs have been associated with this campaign, as the abuse relies entirely on abused trust rather than software vulnerabilities.
When remote persuasion does not succeed, UNC3753 operatives resort to leaving tainted USB drives in public areas of the target’s premises. The drives contain scripts that harvest credentials and establish reverse shells when inserted into a workstation. This physical layer demonstrates the group’s willingness to blend classic social engineering with low‑tech hardware tricks to bypass endpoint defences.
The extortion angle remains central, with the gang threatening to publish or sell the stolen legal data unless a ransom is paid. Their targeting of law firms and financial institutions reflects a focus on high‑value, regulated information that can command premium prices on underground markets. Observed activity between early and mid‑June 2026 indicates a sustained and adaptable operation.
Defenders should treat any unsolicited telephone request for remote access with suspicion and enforce a policy that requires call‑backs to known, verified numbers. Disabling autorun for removable media and blocking execution of unknown scripts from USB devices can reduce the impact of dropped drives. Monitoring for the launch of remote management applications outside of approved change windows helps catch compromised sessions early.
Endpoint controls that whitelist permitted remote tools and alert on unauthorized installations add another layer of protection. Regular vishing and USB‑drop simulations keep staff alert to evolving social engineering tactics. By combining technical barriers with continuous awareness training, organisations can blunt the effectiveness of UNC3753’s hybrid approach.