UNC3753 Targets US Law Firms with Vishing and RMM Tools

Mandiant/Google Threat Intelligence Group attributes an active extortion campaign to UNC3753 (Luna Moth) that targets US law and financial firms using invoice-themed emails followed by vishing to coerce victims into installing commercial RMM tools (AnyDesk, Bomgar, Zoho Assist, SuperOps). Attackers pivot from BYOD into corporate VDI, search document repositories (iManage, OneDrive) for sensitive client data, and exfiltrate files via Google Drive, WinSCP, and Rclone; some incidents include physical office intrusions to steal data via USB, and actors rapidly demand ransom/extortion with published IOCs and recommended mitigations.