Luna Moth / UNC3753: vishing-to-physical-USB data-theft extortion reaches ~$20 M suppression payment and DNS fast-flux C2

Mandiant's comprehensive primary forensic analysis published 5 June (Mandiant; deep-dived daily 2026-06-06) documents a January–May 2026 data-theft extortion campaign against US legal and professional-services organisations by UNC3753 (Luna Moth / Silent Ransom Group). The intrusion chain is entirely social-engineered: invoice/subscription pretext → vishing callback impersonating internal IT support → victim installs AnyDesk / Bomgar / Zoho Assist → actor enumerates file shares and document-management systems and exfiltrates in under an hour in several cases using portable WinSCP/Rclone. No ransomware, no encryption — leverage is the stolen data alone. Weil, Gotshal & Manges reportedly paid an estimated ~$20 M suppression payment (Legal Cheek, 2026-06-03). Two new in-window developments: (1) the FBI's 2026-05-26 Cyber FLASH and Mandiant both confirm operatives entering corporate offices to insert USB exfiltration devices when remote social engineering failed (T1052.001), bypassing every network-side control; (2) a 2026-06-05 report documents SRG migrating its C2 to DNS fast-flux infrastructure, hardening against takedown and static indicator blocking (Security Affairs, 2026-06-05). For Swiss and European legal and professional-services firms: the IT-helpdesk-impersonation vector is identical to social-engineering pressure documented across European corporate intrusions; the physical-USB escalation raises duty-of-care questions that require physical-security response, not just SOC playbooks.