Extortionists behind UNC3753 use USB sticks after fake help-desk calls fail

If a fake help-desk call doesn’t work, UNC3753 does not just hang up. Google Mandiant incident responders say the extortionists sometimes show up in person, posing as IT technicians, then plug thumb drives into victims’ computers to steal sensitive files.

That physical turn is not theoretical. Google’s threat hunters also say a May FBI alert corroborated this in-person tactic, and that “Silent Ransom Group” criminals have been walking into law firms’ physical offices “as recently as this spring,” claiming they are there for legitimate IT support work like imaging a device or creating local backups. The goal is old-school data theft, executed through USB devices.

So why should boards and execs care, beyond the obvious “cybercrime is bad” headline? Because this is a playbook designed to squeeze process controls from two directions at once: remote access via voice phishing, and physical access via impersonation. Google’s Mandiant says the group targeted “dozens” of banks, law firms, and other professional services companies in the US from January through May using social engineering to gain access to corporate IT environments. And Mandiant’s bigger point is that attackers are adapting the method, not just repeating it. Google also notes that UNC3753 has been around since 2022, initially using fake software renewal and other billing lures with PDF attachments that contain phone numbers for attacker-controlled call centers.

Around March 2025, the attackers shifted tactics and started posing as IT help desk staff. That shift matters because it attacks the trust layer inside every company: the people who answer tickets, route calls, and grant access. According to the Friday blog by Google incident responders and researchers Chad Reams, Tufail Ahmed, Keith Knapp, Ashley Frazer, and Tyler McLellan, UNC3753 “primarily relies on digital vectors,” but Mandiant’s GTIG assessment says associated threat actors attempted direct data theft with physical, in-person access as well. Even if attribution is limited in individual cases, the structural and timeline overlaps are what make Google confident the same crew is involved.

The access methods described are fast, targeted, and built for “yes” decisions in seconds. Google says UNC3753 calls employees directly and purports to be a help desk worker or member of the security team. The attackers then persuade the employee to join a screen-sharing session via Zoom, Microsoft Terminal Services, Microsoft Teams, or Quick Assist. In one intrusion, using Teams, an attacker jumped on five separate calls with the same target over a three-day period. In more than one incident, Mandiant observed the attackers establish Zoom sessions directly on targets’ personal laptops, then use those machines to access corporate virtual desktop infrastructure (VDI) using native client platforms like Windows 365 or Citrix clients.

Once inside, the theft is not random. Mandiant says attackers map local directories and network drives and target specific legal and document storage repositories. They use specific keyword searches to find sensitive folders containing tax logs including Forms W-2, W-9, and 1099, audit files, corporate client agreements, and Social Security numbers. Then they stage the data for exfiltration. For exfiltration, Google describes stealthy methods that aim to avoid triggering security alarms, including using portable versions of the free Windows file manager WinSCP or open source tools like Rclone. They can also upload stolen files from the victim’s browser using a file-sharing account, or instruct victims to send data to an attacker-controlled email address.

The extortion itself is also quick. In many Mandiant investigated incidents, the entire operation from initial contact to data extortion occurred in just one day. Google also says it observed data searches, staging, and theft initiated in under an hour. After stealing the data, the group sends an extortion email, usually within 30 minutes of exiting the victim’s environment, with a three-day deadline to respond and begin negotiations.

The pressure copy is familiar because it’s designed to weaponize institutional fears: “We hope to find a financial solution that will be acceptable for both parties,” reads one such extortion email, followed by threats that if victims do not agree, the group will notify employees, partners, and customers and “publish your data.” The message also claims that individuals and legal entities will receive claims for information leakage and breach of contracts, that “your current deals will be terminated,” and that journalists and others will dig into documents for inconsistencies or violations. It adds that the organization’s reputation will be damaged, shares will fall in price, and the organization will be forced to close. That last claim may be hyperbolic in tone, but the operational intent is clear: force rapid decision-making when teams are stressed and timelines are tight.

Google’s report also highlights the initial entry mechanics: UNC3753’s phishing often begins with an invoice-themed email, but these do not usually contain malicious links or attachments. Instead, the email’s “sole purpose” is to justify follow-up via phone so the recipient is more likely to believe the call is legitimate. The attackers then use voice phishing to keep the target engaged long enough to route them into screen sharing and VDI access. Google lists phishing domains designed to look like the target organization’s help desk, including -itdesk[.]com, -it[.]com, and -helpdesk[.]com.

For execs, the most actionable part may be the two-layer prevention plan Google recommends, because it maps to how the attackers win. For in-person attempts, Google suggests physical controls like requiring visitors to display official credentials and photo identification, mandating front-desk staff log visitor IDs before granting access, checking pre-scheduled work orders to confirm the technician’s identity, and ensuring any visiting technical service workers are always accompanied by an in-office supervisor. For the remote-heavy portion, Google recommends remote access conditional access policies so only corporate-owned devices can authenticate to VDI or VPNs, plus blocking the installation and execution of unauthorized remote monitoring and support utilities.

The second-order implication for leadership teams is that “IT security” cannot be only an IT workflow problem. UNC3753’s success depends on humans across departments doing their normal jobs under abnormal pressure, then trusting the wrong voice at the wrong time. And when remote techniques fail, attackers pivot to physical space. That should change how you think about incident readiness, because the window for response can be measured in hours, not weeks. When Mandiant notes that data theft and extortion can occur in under an hour, the strategic stake is immediate: the board needs controls that slow access, prove identity, and contain damage across both remote and physical channels before the extortion email hits the inbox.