Security WeekArchived Jun 08, 2026✓ Full text saved
Focusing on hacking law firms in the US, the ransomware group relies on fast flux to hide its C&C infrastructure. The post Silent Ransom Group Uses DNS Fast Flux in Attacks appeared first on SecurityWeek .
Full text archived locally
✦ AI Summary· Claude Sonnet
The infamous Silent Ransom Group (SRG) ransomware gang is relying on a fast flux network of infected devices to hide its infrastructure, Resecurity warns.
Also tracked as Chatty Spider, Luna Moth, and UNC3753, SRG uses voice phishing (vishing) and social engineering to gain remote access to victims’ environments.
The ransomware group typically sends phishing emails themed around data migration or invoices, and encourages recipients to engage in phone conversations with group members posing as IT specialists, who convince the victims to host screen-sharing sessions and install remote access software.
SRG is mainly known for targeting law firms in the US, and for sending operatives in person to insert USB drives into victims’ computers, either for data exfiltration or malware deployment, a recent FBI alert revealed.
In addition to law firms, the ransomware gang was seen targeting finance, healthcare, insurance, and hospitality firms, all of which handle sensitive information.
After gaining access to a targeted organization’s environment, SRG typically focuses on lateral movement and data exfiltration, without deploying file-encrypting malware.
Shortly after data exfiltration, often within 30 minutes, the threat actor sends extortion emails to the victim organization, threatening to publish the stolen data on its clear web data leak site. If the victim is unresponsive, the group contacts its employees and partners to increase the pressure.
A new Resecurity report shows that SRG is also using a fast flux network of infected routers, modems, gateways, and other types of IoT and CPE (customer premises equipment) devices.
A domain-based technique that relies on rapidly changing the DNS records of a legitimate domain, fast flux allows threat actors to hide their servers’ location by rotating numerous IP addresses and DNS name servers for the same domain name.
For that, the threat actors need a large number of compromised hosts, and Resecurity has identified SRG fast flux nodes in 18 countries across Latin America, Eastern Europe, Central Asia, the Middle East, Africa, East Asia, and the Caribbean.
Spread across 22 ISPs, the fast flux botnet has been used to rotate the DNS records for ep6pheij[.]com and business-data-leaks[.]com, two domains known to have been used by the ransomware group.
“The SRG’s attacks have had a significant impact on the legal industry. Law firms accounted for almost a quarter of all ransomware-related incidents tracked in the first quarter of 2026, making it the fourth-most targeted industry. The SRG’s focus on data theft and extortion has contributed to this uptick,” Resecurity notes.
According to a new Google report, SRG has been active since at least 2022, with some of its activities overlapping with those of UNC2686, known for BazarCall campaigns and for the use of TrickBot, Ursnif, and BazarLoader malware.
Related: Five Eyes: Chinese Spies Target Government, Military Staff With Fake Job Opportunities
Related: Chinese Cybercrime Group in Spotlight for Record Campaign Pace
Related: UNC6692 Uses Email Bombing, Social Engineering to Deploy ‘Snow’ Malware
Related: Hackers Leak DentaQuest Information Impacting 2.6 Million
WRITTEN BY
Ionut Arghire
Ionut Arghire is an international correspondent for SecurityWeek.
More from Ionut Arghire
Hackers Leak DentaQuest Information Impacting 2.6 Million
Chrome 149 Patches 429 Vulnerabilities
Five Eyes: Chinese Spies Target Government, Military Staff With Fake Job Opportunities
Mirasvit Vulnerability Exploited to Execute Code on Magento Servers
Chinese Cybercrime Group in Spotlight for Record Campaign Pace
Over 1.4 Million Accounts Disrupted in Cybercrime Crackdown
Cisco Warns of Available PoC for Critical Unified CM Vulnerability
Kirki, Burst Statistics WordPress Plugin Flaws in Attackers’ Crosshairs
Latest News
174,000 Impacted by Lansing Community College Data Breach
OpenAI Rolling Out ChatGPT Account Security Controls
Anthropic Urges Industry Coordination to Allow for a ‘Pause’ in AI Development if Risks Grow
SolarWinds Serv-U Vulnerability Exploited in the Wild
Meta Says 20,000 Instagram Accounts Hacked via AI Tool Abuse
Emphere Raises $2.1 Million for AI-Powered Vulnerability Remediation
Opal Security Raises $23 Million for AI-Native Identity Governance
OWASP Incubator Project Helps Developers Find and Fix Vulnerable Dependencies in Seconds
Trending
Webinar: Third-Party Risk In Practice
June 4, 2026
Organizations are investing heavily in third-party risk management, but breaches, delays, and blind spots continue to persist. Join this live webinar as we examine the gap between how organizations think their third-party risk programs are performing and what’s actually happening in practice.
Register
Virtual Roundtable: CISO Forum 2026 Mid-Year Review
June 10, 2026
Explore how attackers are using AI to scale threats and how security teams can respond with AI-driven defenses. Protecting against unmonitored use of generative AI (Shadow AI) in business units and building and enforcing AI governance frameworks.
Register
People on the Move
Opal Security has appointed CPO, CTO, VP of Field Engineering, VP of Marketing, and Head of Product and Solutions Marketing.
The Department of the Air Force has appointed Ashley Devoto as Chief Information Officer.
Bartley Richardson has been named Chief AI and Autonomous Systems Officer at CrowdStrike.
More People On The Move
Expert Insights
The Zero-Knowledge Threat Actor And The End Of Responsible Disclosure
AI can help attackers generate malware, create malicious payloads, bypass simple security checks, and convert vague malicious intent into functional code. (Etay Maor)
Raising The Cybersecurity Stakes: Ante Up For The Agentic Era
CISOs are now facing machine-speed attacks and asking, “How do I agent?” The industry must provide remediation at scale. (Nadir Izrael)
Caught Off Guard: Securing AI After It Hits Production
As enterprises rush AI projects into production, security teams are increasingly being forced into reactive mode. (Joshua Goldfarb)
Cyber Resilience Is The New Business Continuity Plan
The organizations best prepared to face disruption are those that align security, continuity and risk management around what the business cannot afford to lose. (Steve Durbin)
Enhancing Data Center Security Without Sacrificing Performance
For AI data centers, where the stakes are the highest and performance constraints are the tightest, security and performance are no longer a zero-sum game. (Nadir Izrael)
Flipboard
Reddit
Whatsapp
Email