UNC3753 turns helpdesk vishing into rapid data theft
UNC3753 helpdesk impersonation, remote-access tooling, VDI abuse, rapid document theft, and extortion against US organizations.
- 2026-07-14
- 5 min read
Operational layer / Use first
Detection & hunt kit
Deployable logic, required telemetry, and review state. Expand an artifact without leaving the intelligence report.
01 / DetectionCurl Download Followed by MSI Execution in One Windows CommandDetects a Windows command line that combines curl retrieval of an MSI payload with msiexec execution, as observed in UNC3753 remote-support social engineering.medium / experimentalView detailsMinimize
- Use
- Detection
- Confidence state
- experimental
- Priority
- medium
- ATT&CK
- T1059.003 / T1204.002
Required telemetry
- category
- process_creation
- product
- windows
title: Curl Download Followed by MSI Execution in One Windows Command
id: 84397453-99d6-4a8a-a11d-219287a39ce6
status: experimental
author: FRAME ZERO
date: 2026-07-14
description: Detects a Windows command line that combines curl retrieval of an MSI payload with msiexec execution, as observed in UNC3753 remote-support social engineering.
references:
- https://cloud.google.com/blog/topics/threat-intelligence/targeted-campaign-us-law-firms/
logsource:
category: process_creation
product: windows
detection:
selection_shell:
Image|endswith:
- '\\cmd.exe'
- '\\powershell.exe'
- '\\pwsh.exe'
selection_chain:
CommandLine|contains|all:
- 'curl'
- '.msi'
- 'msiexec'
condition: selection_shell and selection_chain
falsepositives:
- Authorized software deployment or support scripts that retrieve and install MSI packages from approved locations
level: medium
tags:
- attack.execution
- attack.t1059.003
- attack.t1204.002
telemetry_assumptions:
- Windows process creation events retain the full image path and command line.
- Parent process, user, signer, and network telemetry are available for triage.
related_publication: unc3753-vishing-extortion-law-firms
02 / Threat huntUNC3753 Reported Infrastructure in Network TelemetryHunts for IP addresses, a data-leak domain, and organization-specific domain patterns reported with UNC3753 activity. The values are historical and require current ownership, resolution, and local-timing validation.medium / experimentalView detailsMinimize
- Use
- Threat hunt
- Confidence state
- experimental
- Priority
- medium
- Review after
- 2026-08-13
Required telemetry
- category
- network_connection
ATT&CK / T1071.001
title: UNC3753 Reported Infrastructure in Network Telemetry
id: 18f89d0a-498b-41f5-9a38-82dd7006f25b
status: experimental
author: FRAME ZERO
date: 2026-07-14
description: Hunts for IP addresses, a data-leak domain, and organization-specific domain patterns reported with UNC3753 activity. The values are historical and require current ownership, resolution, and local-timing validation.
references:
- https://cloud.google.com/blog/topics/threat-intelligence/targeted-campaign-us-law-firms/
- https://www.ic3.gov/CSA/2026/260526.pdf
logsource:
category: network_connection
detection:
selection_source_ip:
SourceIp:
- '192.236.147.131'
- '192.236.147.138'
- '193.141.60.212'
- '192.236.154.158'
- '192.236.146.173'
- '174.169.162.62'
- '64.94.84.97'
selection_destination_ip:
DestinationIp:
- '192.236.147.131'
- '192.236.147.138'
- '193.141.60.212'
- '192.236.154.158'
- '192.236.146.173'
- '174.169.162.62'
- '64.94.84.97'
selection_exact_domain:
DestinationHostname: 'business-data-leaks.com'
selection_domain_pattern:
DestinationHostname|endswith:
- '-itdesk.com'
- '-it.com'
- '-helpdesk.com'
condition: 1 of selection_*
falsepositives:
- Reassigned, sinkholed, or shared infrastructure after the reported campaign period
- Unrelated domains whose registered names end with an organization-specific helpdesk pattern
- Security testing that intentionally uses the published values
level: medium
tags:
- attack.command-and-control
- attack.t1071.001
telemetry_assumptions:
- DNS, proxy, firewall, or endpoint network telemetry maps source and destination addresses and hostnames into the selected fields.
- Analysts validate current ownership, passive DNS, resolution, prevalence, and event timing before escalation.
related_publication: unc3753-vishing-extortion-law-firms
Analysis
From January through May 2026, Mandiant identified UNC3753 activity targeting dozens of US organizations in legal, professional, and financial services. The financially motivated group used emails and phone calls to impersonate internal IT staff, obtain remote control of employee devices, search corporate document stores, and steal data for extortion. Some investigations progressed from the first contact to data theft and extortion within one business day.
Initial contact and remote access
A typical intrusion began with an invoice or data-migration email sent from a consumer account controlled by the actor. These messages often contained no link or attachment. They gave the caller a reason to contact the employee and claim that the helpdesk needed to resolve a security or migration issue.
The caller then directed the employee to start a screen-sharing or remote-support session. Mandiant observed Zoom, Microsoft Teams, Quick Assist, and Microsoft Terminal Services in this stage. During one intrusion conducted through Teams, the actor held five calls with the same employee over three days.
UNC3753 also attempted to install AnyDesk, Bomgar, Zoho Assist, and a SuperOps remote monitoring and management agent. In one case, the actor gave the employee a curl command that downloaded a SuperOps MSI package and launched it silently with msiexec. Installation commands and links were sometimes delivered through Privnote, where the message disappeared after it was read.
Access through personal devices and VDI
Some employees joined the remote session from personal devices. The actor controlled the interaction on that device while the employee opened corporate virtual desktop infrastructure through Windows 365 or Citrix. The resulting session provided access to corporate applications and files through the employee's existing account.
Inside the corporate environment, UNC3753 enumerated local directories, active OneDrive folders, and mapped network drives. The actor also searched document-management systems such as iManage. Search terms targeted tax forms, audit files, client agreements, Social Security numbers, and other records suitable for extortion.
Files were staged in locations available to the employee, including the Downloads directory and roaming profile paths. The actor could perform these actions through screen control or instruct the employee to complete them during the call.
Document theft and extortion
UNC3753 transferred staged data with portable copies of WinSCP or Rclone, consumer file-sharing accounts, and actor-controlled email addresses. Browser uploads sometimes used folders renamed to resemble the victim organization. In one incident, the actor uploaded 1.7 GB from a local OneDrive folder to Google Drive, entered a VDI session, and transferred another 14.4 GB with WinSCP.
Mandiant observed search, staging, and theft beginning in under an hour during recent cases. Extortion emails sometimes arrived within 30 minutes of the actor leaving the environment. The messages threatened publication of the stolen data and gave the organization three days to begin negotiations. UNC3753 has also threatened to contact employees and clients directly.
In-person access attempts
The FBI reported cases in which Silent Ransom Group actors sent a person to an office after remote social engineering failed. The visitor claimed to be an IT technician who needed to image a device or create a backup, then attempted to copy company data to removable storage.
Google Threat Intelligence Group assessed that similar physical incidents were likely connected to UNC3753 based on their targeting, timing, and structure. Limited forensic evidence and the absence of later extortion prevented formal attribution in those cases.
Detection and response
Endpoint teams should record remote-support and screen-sharing software, including portable tools that run without installation. Process telemetry should retain full command lines, parent processes, users, signers, and network destinations. Document platforms should log searches, bulk reads, downloads, and exports. VDI authentication records should identify the source device and distinguish managed from unmanaged access.
Network and proxy logs should retain destination categories and transfer volumes for consumer storage, email, FTP, and SFTP services. Helpdesk records can establish whether a remote session, password change, or software installation was approved. These records need timestamps that support correlation across the call, endpoint session, document access, and outbound transfer.
The included Sigma rule detects a Windows shell command containing curl, an MSI filename, and msiexec. Authorized deployment and support scripts can produce the same command pattern. Review the initiating user, parent process, download destination, signer, support ticket, and nearby remote-session activity during triage.
Response procedures should give employees an out-of-band method to verify unexpected helpdesk contact. Conditional-access policies can restrict VDI access from unmanaged devices. Application control can limit unapproved remote-support tools, while removable-media policy can reduce the risk from physical access attempts. Reception and facilities teams should verify technicians against scheduled work orders and require escorts.
Scope and limitations
The published reporting supports helpdesk impersonation, victim-assisted remote access, use of legitimate support tools, rapid document theft, and extortion in the investigated campaign. The Sigma rule covers one observed command-line installation pattern. Sessions conducted entirely through approved meeting software, actions performed manually by an employee, and data transfers without process telemetry require other records and detection methods.
The assessment linking the physical incidents to UNC3753 remains short of formal attribution.
Reported IOCs
View detailsMinimize
Mandiant published the following infrastructure with its campaign report:
| Type | Value |
|---|---|
| IPv4 | 192.236.147.131 |
| IPv4 | 192.236.147.138 |
| IPv4 | 193.141.60.212 |
| IPv4 | 192.236.154.158 |
| IPv4 | 192.236.146.173 |
| IPv4 | 174.169.162.62 |
| IPv4 | 64.94.84.97 |
| Data-leak site | business-data-leaks[.]com |
| Phishing-domain pattern | <organization>-itdesk[.]com |
| Phishing-domain pattern | <organization>-it[.]com |
| Phishing-domain pattern | <organization>-helpdesk[.]com |
The report was published on 5 June 2026 but does not provide first-seen or last-seen timestamps for the individual values. Use the IP addresses and data-leak domain as historical investigation pivots after checking current ownership, resolution, and local log timing. The three domain entries describe naming patterns rather than registered domains.
These values are not part of the Sigma rule. The rule covers the observed process behavior and remains useful when the actor changes infrastructure.
The accompanying experimental hunt checks network telemetry for the seven exact IP addresses and the exact data-leak domain. It treats the three organization-specific domain forms as naming patterns. Matches require current ownership, resolution, prevalence, and local-event timing checks because the report did not provide per-value observation windows.