Overview
- Security firms and the FBI say the group lures targets with benign, invoice-style emails then places follow-up voice calls that impersonate corporate IT to win screen-sharing or remote‑support sessions.
- During those sessions attackers guide victims to install legitimate remote‑management tools such as AnyDesk, Zoho Assist, Bomgar or SuperOps to gain network access and search for high‑value files.
- The actors rapidly exfiltrate sensitive legal and financial data using tools like WinSCP or Rclone or by copying to USB drives and then send aggressive extortion emails, often within 30 minutes and giving a three‑day deadline.
- The FBI has confirmed operators sometimes escalate to in‑person intrusions where individuals posing as technicians enter offices to image machines or insert drives to steal data.
- The campaign, which targeted dozens of U.S. legal, financial and professional firms between January and May 2026, builds on Ryuk/Conti‑era callback tactics and uses evasive fast‑flux and residential IP hosting to resist takedowns; authorities advise strict IT verification, limiting RMM tools, enforcing phishing‑resistant MFA, blocking USB installs, and targeted staff training.