UNC3753 Hybrid Tactics Expose Blind Spot in Cyber-Physical Risk Models

The UNC3753 campaign documented by Google Mandiant between January and May 2026 marks a clear escalation from pure digital vishing to coordinated physical intrusions, a pattern that extends beyond the reported data theft of legal agreements and PII. While the original coverage correctly identifies the shift from LockBit deployment to extortion-only operations and notes overlaps with UNC2686 and the defunct Conti network, it underplays the operational fusion of remote social engineering with on-site USB exfiltration. This hybrid method bypasses endpoint detection by leveraging human trust chains—pretext emails followed by IT-impersonation calls that direct victims to install AnyDesk or Zoho Assist—then transitions to physical presence when digital access proves insufficient. FBI advisories from May 2026 already flagged similar in-person tactics, yet mainstream reporting treats these as isolated anomalies rather than indicators of maturing threat infrastructure inherited from Conti affiliates. The use of self-destructing notes via privnote.com to deliver RMM instructions further reduces forensic artifacts, a refinement that echoes earlier BazarCall playbooks but now incorporates real-world access vectors. Organizations in professional services remain primary targets because their workflows normalize screen-sharing sessions and visitor IT support, creating persistent seams that purely technical controls cannot seal. This development signals that extortion groups are systematically closing the gap between remote compromise and physical data acquisition, raising stakes for facilities with limited visitor vetting and VDI segmentation.