UNC3753 Uses Screen Sharing and RMM Tools to Steal Sensitive Legal Data
9 min. read 
Published on
UNC3753 is targeting U.S. law firms and professional services organizations with a fast-moving data theft and extortion campaign. According to Google Cloud’s Mandiant and Google Threat Intelligence Group, the group uses vishing, screen-sharing sessions, and remote management tools to gain access to corporate systems and steal sensitive files.
The threat cluster is also tracked as Luna Moth, Chatty Spider, and Silent Ransom Group. Google says the campaign targeted dozens of organizations across legal, professional, and financial services in the United States from January through May 2026.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The attacks are financially motivated and do not rely on ransomware encryption in most cases. Instead, the group steals legal agreements, tax files, Social Security numbers, financial records, and other client data, then sends extortion messages threatening public exposure.
The attack starts with a harmless-looking invoice email
UNC3753 often begins with a simple invoice-themed email sent from a consumer email account. The message does not contain malware, links, or attachments. Its purpose is to create concern and make a follow-up phone call feel more believable.
Shortly after the email, an attacker calls the victim and pretends to work for internal IT or security support. The caller may claim there is a data migration issue, invoice problem, security concern, or device backup task that needs attention.
Once the victim accepts the story, the attacker guides them into a screen-sharing session through tools such as Zoom, Microsoft Teams, Quick Assist, or Microsoft Terminal Services. From there, the attacker can push the victim to install remote monitoring and management software.
| Attack stage | What UNC3753 does | Why it works |
|---|---|---|
| Pretext email | Sends a benign invoice or IT-themed message | Creates urgency without triggering link or attachment detection |
| Vishing call | Poses as internal IT or security support | Uses trust and pressure instead of malware delivery |
| Screen sharing | Moves the victim into a live remote session | Bypasses many automated email and web controls |
| RMM installation | Pushes tools such as AnyDesk, Bomgar, or Zoho Assist | Turns legitimate admin software into attacker access |
| Data theft | Searches, stages, and uploads sensitive files | Uses the victim’s own access to reach legal and financial data |
UNC3753 can complete attacks within a single business day
Google says the group runs a fast operational cycle. In many investigated incidents, the full sequence from initial contact to data theft and extortion happened within one business day. In some cases, data searches, staging, and theft began in under an hour.
This speed matters because many organizations treat vishing as a user-awareness issue rather than an urgent incident. By the time help desk, security, or legal teams get involved, files may already be staged in Downloads folders, copied from document platforms, and uploaded to attacker-controlled cloud storage.
The Google Cloud report says UNC3753 has used screen-sharing sessions, BYOD devices, VDI access, OneDrive folders, iManage searches, WinSCP, Rclone, web uploads, and email forwarding during different intrusions.
Legal firms are high-value targets
Law firms are attractive to extortion groups because they hold concentrated stores of sensitive client material. That can include merger and acquisition documents, corporate agreements, regulatory filings, tax forms, litigation material, client trade secrets, and personally identifiable information.
UNC3753 appears to understand that reputational pressure can be powerful in the legal sector. After stealing data, the group sends aggressive extortion emails and threatens to contact employees, clients, partners, and journalists if the victim does not respond.
The FBI’s Cyber FLASH alert says Silent Ransom Group has consistently targeted U.S. law firms since spring 2023, while also affecting industries such as insurance, finance, and healthcare.
| Data type | Why attackers want it |
|---|---|
| Legal agreements | Can pressure firms and clients during negotiations or disputes |
| Tax forms | May contain names, addresses, Social Security numbers, and financial data |
| Client records | Can increase reputational and regulatory pressure |
| Financial records | Can support fraud, extortion, or resale |
| Document management exports | Can expose broad client repositories in one theft event |
RMM tools and screen sharing hide the attack inside normal workflows
UNC3753 does not need to exploit a browser flaw or send a malicious attachment when the victim installs the access tool voluntarily. That makes the campaign harder to stop with traditional email filtering alone.
The group has used legitimate remote access and support tools because many organizations already allow them for IT work. In one Google-documented incident, an attacker held five separate Teams calls with the same victim over three days.
The technique maps closely to MITRE ATT&CK’s Remote Access Software technique, which covers adversaries using legitimate remote administration tools for persistence, command execution, or interactive access.
- Block unauthorized RMM and remote support software by default.
- Allow only approved tools, signed installers, and managed deployment paths.
- Restrict screen-control features in meetings for high-risk roles.
- Alert when users download remote access tools after help desk-themed calls.
- Require out-of-band approval before any IT support session begins.
Attackers stage data from OneDrive, iManage, and network drives
Once inside a system, UNC3753 searches local folders, mapped network drives, OneDrive directories, and legal document management platforms. Google specifically noted the use of iManage keyword searches for tax logs, audit files, corporate client agreements, and Social Security numbers.
The attackers often stage search results inside the victim’s Downloads folder or roaming profile path. They then upload the files using portable versions of WinSCP or Rclone, direct browser uploads to consumer cloud accounts, or email forwarding from the victim’s own mailbox.
In one case, the group stole 1.7 GB of data from a OneDrive folder to a Google Drive account, then pivoted to a VDI session and took another 14.4 GB using WinSCP.
Physical office intrusions raise the risk
The campaign also has a physical security angle. The FBI says Silent Ransom Group actors may send a person to the victim’s location if remote social engineering fails. That person claims to be IT support and asks for access to a workstation to image the device or create a backup.
Once the visitor gets access, the actor attempts to exfiltrate data to an external hard drive or USB drive. This tactic can defeat organizations that rely heavily on digital controls but have weaker front-desk, visitor, and contractor verification processes.
The FBI alert says the group conducts data theft and extortion without relying on traditional ransomware encryption. It also warns that stolen data may be used to pressure victims through leak threats and direct contact with employees or clients.
| Physical security control | Purpose |
|---|---|
| Verify all technician visits against scheduled work orders | Stops fake IT visitors from using surprise visits as pressure |
| Require photo ID and visitor logging | Creates accountability before granting office access |
| Escort all third-party technical visitors | Prevents unsupervised endpoint access |
| Block USB mass storage where possible | Reduces direct data theft through removable drives |
| Train reception and office managers | Expands security awareness beyond IT teams |
Organizations should treat voice phishing as an active intrusion signal
A suspicious IT support call should trigger more than a user-awareness reminder. If a user joined a screen-sharing session, installed software, received commands through a disappearing-message service, or moved files at someone else’s direction, security teams should investigate immediately.
The same applies to sudden spikes in document searches, bulk downloads, unexpected uploads to cloud storage, or new RMM tools appearing on endpoints. These are not isolated events when they follow an IT-themed call.
The MITRE ATT&CK entry for remote access software notes that adversaries may use legitimate tools such as AnyDesk, TeamViewer, and other remote management software to control systems. That makes application control and process visibility important in this campaign.
- Alert on new RMM tools launched by non-IT users.
- Monitor large uploads to consumer file-sharing services.
- Track unusual iManage, SharePoint, OneDrive, and email search patterns.
- Require MFA step-up for VDI and sensitive document repositories.
- Investigate Privnote or similar disappearing-message services used during support calls.
Indicators of compromise
Google published infrastructure patterns and IP addresses tied to suspected UNC3753 activity. Organizations can use these indicators for threat hunting, but they should not rely on IoCs alone because this campaign depends heavily on social engineering and legitimate tools.
| Type | Indicator | Description |
|---|---|---|
| IPv4 address | 192.236.147.131 | Actor-controlled infrastructure |
| IPv4 address | 192.236.147.138 | Actor-controlled infrastructure |
| IPv4 address | 193.141.60.212 | Actor-controlled infrastructure |
| IPv4 address | 192.236.154.158 | Actor-controlled infrastructure |
| IPv4 address | 192.236.146.173 | Actor-controlled infrastructure |
| IPv4 address | 174.169.162.62 | Actor-controlled infrastructure |
| IPv4 address | 64.94.84.97 | Actor-controlled infrastructure |
| Domain pattern | <organization>-itdesk[.]com | Phishing or vishing support domain pattern |
| Domain pattern | <organization>-it[.]com | Phishing or vishing support domain pattern |
| Domain pattern | <organization>-helpdesk[.]com | Phishing or vishing support domain pattern |
| Data leak site | hxxps[:]//business-data-leaks[.]com | UNC3753 victim disclosure platform |
Legal and professional services firms should harden both digital and physical access
UNC3753’s campaign shows that attackers can bypass strong perimeter defenses by persuading employees to open the door themselves. MFA, endpoint protection, and email filtering still matter, but they do not stop every phone-guided intrusion.
Organizations should combine user training with technical controls. That means blocking unapproved RMM software, limiting BYOD access to VDI and VPN services, monitoring document repositories for mass access, and reviewing outbound file transfers to consumer cloud accounts.
They should also treat facility access as part of cybersecurity. A person who walks into an office posing as IT support can become an insider for the length of the visit if reception, facilities, and employees do not verify the request.
The practical lesson is clear: a screen-sharing call, a remote support installer, or a surprise technician visit can become the first step in a data theft incident. Law firms and professional services companies should verify every support request before granting remote or physical access.
FAQ
UNC3753 is a financially motivated threat cluster also tracked as Luna Moth, Chatty Spider, and Silent Ransom Group. It targets organizations with social engineering, remote access tools, data theft, and extortion.
UNC3753 commonly uses vishing and IT support impersonation. The attacker convinces an employee to join a screen-sharing session, install a remote management tool, or perform actions that give the attacker access to corporate files.
The group searches for high-value files such as legal agreements, client records, tax forms, Social Security numbers, audit files, financial records, and other sensitive documents that can support extortion.
The FBI says Silent Ransom Group usually focuses on rapid access, immediate data exfiltration, and extortion through threats of public disclosure or sale of stolen data, rather than traditional ransomware encryption.
Organizations should verify support calls out of band, block unauthorized RMM tools, restrict screen-control features, monitor mass file searches and downloads, limit BYOD access, control USB storage, and train reception staff to verify technical visitors.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages