Top Highlights
- UNC3753 uses voice phishing and social engineering to gain remote access via convincing pretexts, then exfiltrates sensitive legal, PII, and financial data through in-person or remote operations.
- The group quickly escalates attacks by establishing persistence with legitimate remote desktop tools and conducting rapid data searches and exfiltration within hours.
- Their infrastructure leverages DNS Fast Flux networks across multiple countries, making domain takedowns difficult and enabling sustained, resilient C2 communication.
Threat, Techniques, and Targets
The threat actor group UNC3753, also known as Chatty Spider or Silent Ransom Group, conducts a data theft extortion campaign. They mainly target organizations in the U.S. in industries like legal, financial, and professional services.
The group uses voice phishing, called vishing, and social engineering to gain access. They contact victims by pretending to be IT support or colleagues, often using fake pretexts such as data migration or invoice issues. They initiate phone calls and persuade targets to host screen-sharing sessions and download remote access software like AnyDesk or Bomgar.
Once they have access, they search for sensitive files and exfiltrate data such as legal documents, Personally Identifiable Information (PII), and financial records. In some cases, they physically enter offices, pretending to be IT technicians, to steal data directly using USB drives. They use social engineering to trick victims and use legitimate remote desktop tools to stay hidden.
The attack often begins with simple emails about invoices, which do not contain malicious links. Instead, these emails aim to create a reason for the attackers to follow up with voice communication. The group also mimics internal help desks and uses trusted communication platforms like Zoom or Microsoft Teams to establish access.
Targets are high-value, especially legal firms with sensitive and proprietary information that can be used for extortion. The campaign is rapid, often completing operations within a single business day from initial contact to data theft and extortion.
Impact, Implications, and Guidance
The attacks result in the theft of sensitive legal, financial, and personal data. The attackers use this stolen information to threaten victims with data leaks and extortion. They demand ransom payments within three days and threaten to contact victims’ clients and employees or publish data online if demands are not met.
This threat increases the risk of reputational damage, legal issues, and financial loss for organizations. The rapid pace of the attacks means organizations may have little time to respond once they are compromised.
Because of the complex methods used, organizations should seek current security guidance from their vendors or authorities. They need to strengthen social engineering awareness, improve access controls, and monitor for suspicious phone or remote access activities. Implementing security measures such as caller verification, multi-factor authentication, and physical security protocols is also important.
Remediation guidance should be obtained from the relevant security or law enforcement authorities, as specific steps vary depending on the situation.
Stay Ahead with the Latest Tech Trends
Learn how the Internet of Things (IoT) is transforming everyday life.
Explore past and present digital transformations on the Internet Archive.
ThreatIntel-V1
