SILENT Ransom Group has been observed using a fast flux DNS network to conceal its infrastructure while targeting law firms across the globe according to Resecurity. The activity was first detected on 5 June 2026 and continued through 8 June 2026, with voice phishing and social engineering serving as the initial entry vector. Once inside, the group focuses on exfiltrating sensitive data and then threatens victims with public release unless a payment is made.
The fast flux technique leverages a rotating pool of compromised Internet of Things devices to constantly change the DNS records associated with the group’s command and control servers, as noted by SecurityWeek. This makes it difficult for defenders to block a single IP address or domain. No common vulnerabilities and exposures identifiers have been linked to the campaign, but the operation is tracked under the Luna Moth alias, also known as UNC3753. Research shows the flux nodes have been spotted in eighteen countries, with concentrations in Latin America and Eastern Europe.
The gang maintains a Clearnet Data Leak Site that is protected by unique tokens, which helps prevent unauthorized access to the stolen information. In 2024 the group reportedly turned down a ransom demand of $1.8 million, choosing instead to leak data from a compromised law firm as reported by DataBreaches.net. Unlike typical ransomware, Silent Ransom Group does not encrypt files; it relies on the threat of exposure to coerce payment. Recent advisories from the FBI highlight the group’s use of compromised IoT devices as part of its flux infrastructure according to SecurityAffairs.
Federal agencies have issued warnings about the group's tactics, noting the increase in voice‑based phishing attempts aimed at legal professionals. While the current campaign does not rely on a specific software flaw, the broader threat environment includes other exploited vulnerabilities such as the SolarWinds Serv‑U issue recently added to CISA’s Known Exploited Vulnerabilities catalog as highlighted in a SecurityAffairs newsletter. Security researchers have also linked Silent Ransom Group’s infrastructure to emerging underground projects like Spy Corporate, suggesting a collaborative element within the cybercrime ecosystem. Law firms remain attractive targets because of the confidential client data they handle, which can be leveraged for extortion or sold on illicit markets.
Defenders should begin by monitoring DNS query logs for rapid flux patterns that indicate a single domain resolving to many different IP addresses in a short time as suggested by Resecurity. Implementing strict verification procedures for voice calls and unexpected emails can reduce the success of social engineering attempts. Network segmentation limits the ability of compromised IoT devices to move laterally, while disabling unnecessary services on those devices reduces the attack surface. Enforcing multi‑factor authentication on all remote access points and keeping privileged accounts tightly controlled further raises the barrier for attackers.
Organizations should maintain offline, encrypted backups of critical data and test restoration procedures regularly to mitigate the impact of any potential leak as advised by Resecurity. Engaging with information sharing groups and law enforcement ensures that indicators of compromise are shared quickly across sectors. Finally, ongoing staff training that focuses on recognizing voice phishing and pretexting calls remains one of the most effective defenses against groups like Silent Ransom Group.