Dumpdump Dominates, UNC3753 Targets US Law Firms, PAN-OS Exploited

Events tracked
203
Critical exposure
106

Summary

Today's threat landscape is defined by a high-volume, low-friction data breach ecosystem, with the actor Dumpdump alone responsible for 15 of 203 tracked events. More concerning for defenders is the convergence of sophisticated social engineering and targeted extortion, as detailed in new research on the UNC3753 campaign against US law firms. Simultaneously, active exploitation of a critical PAN-OS vulnerability and a wave of npm supply chain attacks demand immediate operational attention, underscoring that perimeter defenses alone are insufficient against today's multi-vector threats.

Today's developments

The most significant operational threat this morning comes from detailed research published by Google Threat Intelligence on the UNC3753 cluster (also tracked as Luna Moth, Chatty Spider, and Silent Ransom Group). This financially motivated group has been conducting a targeted vishing campaign against dozens of US law firms, professional services, and financial organizations since at least January 2026. The attack lifecycle is alarmingly efficient: threat actors pose as internal IT helpdesk staff, initiate phone calls to employees, and social-engineer them into installing remote monitoring and management (RMM) tools like AnyDesk or Zoho Assist. Once inside, they pivot to corporate VDI environments, search document management systems like iManage for sensitive client data, and exfiltrate it via cloud storage or FTP -- often within a single business day. In a notable escalation, the group has also attempted physical intrusions, with individuals posing as IT technicians entering offices to exfiltrate data via USB drives. The extortion demands are aggressive, with a three-day deadline and threats to notify employees and clients directly.

  • UNC3753 (Luna Moth / Silent Ransom Group): Targets US legal and professional services via vishing. Uses RMM tools (AnyDesk, Bomgar, Zoho Assist) and Privnote for command delivery. Exfiltrates via WinSCP, Rclone, or browser-based cloud uploads. Physical office intrusions have been observed.
  • Dumpdump Activity: The actor claims to have breached and leaked data from over a dozen organizations, including the International Institute for Sustainable Development (iisd.org, 732k records), Japanese organization jpf.go.jp (746k), French site mathon.fr (483k), and German firms teamleader.eu (137k) and proximus.be (479k). Victims span multiple sectors and countries, suggesting a broad, opportunistic scraping operation.
  • Critical Infrastructure and Supply Chain Threats: Unit 42 reports active exploitation of CVE-2026-0257, a critical PAN-OS vulnerability. Separately, the npm ecosystem is under attack from two campaigns: "IronWorm," which distributes a Rust-based information stealer via malicious packages, and a new variant of the "Miasma" worm that self-propagates. Both target developer credentials and secrets.
  • High-Profile Breach Claims: The ShinyHunters group has allegedly leaked 234 GB of data from DentaQuest, a US dental benefits administrator, impacting approximately 2.6 million individuals. Other notable claims include breaches of Nasdaq, AT&T, TotalEnergies, and the Qatar National Bank, though these remain unverified.
  • Geopolitically Motivated Activity: Multiple actors claimed breaches against Israeli entities, including an alleged leak of credit card data and military force information. Pakistani government and space research organizations (SUPARCO, Ministry of Science & Tech) were also targeted. A large database of Indian student and government exam candidate records was allegedly leaked.

Threat landscape signals

The data reveals a pronounced concentration of activity by a small number of prolific actors. Dumpdump's 15 events, primarily opportunistic data breaches, account for nearly 8% of all tracked incidents. This, combined with the 106 critical data exposure events, indicates a market flooded with commoditized stolen data. The top victim countries -- the United States (27), Israel (19), and the Netherlands (16) -- reflect both opportunistic targeting and geopolitical friction. The UNC3753 campaign is a critical signal for security operations leads: it demonstrates that sophisticated social engineering can bypass robust technical controls. The shift toward physical intrusions is a particularly alarming escalation, demanding that organizations treat physical security as a co-equal component of their cyber defense posture. Finally, the active exploitation of PAN-OS and the npm supply chain attacks reinforce the need for rigorous patch management and software supply chain hygiene as immediate priorities.

All incidents are reported as alleged claims by threat actors and have not been independently verified by GrayscaleInsight.

Threat intelligence is reported for security awareness purposes only and does not constitute endorsement of any actor, group, or activity.

Recent editions