The infamous Silent Ransom Group (SRG) ransomware gang is relying on a fast flux network of infected devices to hide its infrastructure, Resecurity warns.
Also tracked as Chatty Spider, Luna Moth, and UNC3753, SRG uses voice phishing (vishing) and social engineering to gain remote access to victims’ environments.
The ransomware group typically sends phishing emails themed around data migration or invoices, and encourages recipients to engage in phone conversations with group members posing as IT specialists, who convince the victims to host screen-sharing sessions and install remote access software.
SRG is mainly known for targeting law firms in the US, and for sending operatives in person to insert USB drives into victims’ computers, either for data exfiltration or malware deployment, a recent FBI alert revealed.
In addition to law firms, the ransomware gang was seen targeting finance, healthcare, insurance, and hospitality firms, all of which handle sensitive information.
After gaining access to a targeted organization’s environment, SRG typically focuses on lateral movement and data exfiltration, without deploying file-encrypting malware.
Shortly after data exfiltration, often within 30 minutes, the threat actor sends extortion emails to the victim organization, threatening to publish the stolen data on its clear web data leak site. If the victim is unresponsive, the group contacts its employees and partners to increase the pressure.
A new Resecurity report shows that SRG is also using a fast flux network of infected routers, modems, gateways, and other types of IoT and CPE (customer premises equipment) devices.
A domain-based technique that relies on rapidly changing the DNS records of a legitimate domain, fast flux allows threat actors to hide their servers’ location by rotating numerous IP addresses and DNS name servers for the same domain name.
For that, the threat actors need a large number of compromised hosts, and Resecurity has identified SRG fast flux nodes in 18 countries across Latin America, Eastern Europe, Central Asia, the Middle East, Africa, East Asia, and the Caribbean.
Spread across 22 ISPs, the fast flux botnet has been used to rotate the DNS records for ep6pheij[.]com and business-data-leaks[.]com, two domains known to have been used by the ransomware group.
“The SRG’s attacks have had a significant impact on the legal industry. Law firms accounted for almost a quarter of all ransomware-related incidents tracked in the first quarter of 2026, making it the fourth-most targeted industry. The SRG’s focus on data theft and extortion has contributed to this uptick,” Resecurity notes.
According to a new Google report, SRG has been active since at least 2022, with some of its activities overlapping with those of UNC2686, known for BazarCall campaigns and for the use of TrickBot, Ursnif, and BazarLoader malware.
Related: Five Eyes: Chinese Spies Target Government, Military Staff With Fake Job Opportunities
Related: Chinese Cybercrime Group in Spotlight for Record Campaign Pace
Related: UNC6692 Uses Email Bombing, Social Engineering to Deploy ‘Snow’ Malware
Related: Hackers Leak DentaQuest Information Impacting 2.6 Million
