Mandiant has documented a financially motivated extortion campaign by the threat cluster UNC3753 (also known as Luna Moth, Chatty Spider, or Silent Ransom Group) targeting dozens of U.S. legal, financial, and professional services organizations from January through May 2026. The group uses voice phishing and social engineering to trick employees into enabling remote access via screen-sharing tools and remote monitoring software, then searches for and steals highly sensitive data—including client agreements, tax documents, and personal identifiable information—within hours. After exfiltration, attackers issue aggressive three-day extortion demands threatening to notify employees, clients, and regulators and publish stolen files on the LEAKEDDATA leak site. A notable escalation involves suspected UNC3753 actors conducting in-person intrusions, posing as IT technicians to steal data directly from corporate endpoints using USB storage media.