Silent Ransom Group (SRG) Exploits Fast Flux Network to Evade Detection
The Silent Ransom Group (SRG), also known as Chatty Spider, Luna Moth, and UNC3753, has adopted a fast flux network to conceal its infrastructure, according to a recent Resecurity report. The group primarily targets law firms, finance, healthcare, insurance, and hospitality sectors industries handling sensitive data using voice phishing (vishing) and social engineering to breach networks.
SRG’s tactics include phishing emails disguised as data migration or invoice requests, followed by phone calls from operatives posing as IT specialists. Victims are tricked into screen-sharing sessions and installing remote access tools, sometimes even via physical USB drops by in-person operatives. Unlike traditional ransomware groups, SRG prioritizes data exfiltration over encryption, issuing extortion threats within 30 minutes of stealing files. If victims resist, the group escalates pressure by contacting employees and partners.
To evade detection, SRG leverages a fast flux botnet a technique that rapidly rotates DNS records across compromised routers, modems, IoT devices, and CPEs in 18 countries, including regions in Latin America, Eastern Europe, and the Middle East. The botnet, spread across 22 ISPs, has been linked to domains like ep6pheij[.]com and business-data-leaks[.]com, both tied to SRG’s operations.
The group’s focus on law firms has had a measurable impact: nearly a quarter of all ransomware incidents in Q1 2026 targeted the legal sector, making it the fourth-most affected industry. SRG’s activities date back to at least 2022, with overlaps observed between its operations and UNC2686, a threat cluster known for BazarCall campaigns and malware like TrickBot, Ursnif, and BazarLoader.
Source: https://www.securityweek.com/silent-ransom-group-uses-dns-fast-flux-in-attacks/
Resecurity cybersecurity rating report: https://www.rankiteo.com/company/resecurity
"id": "RES1780922290",
"linkid": "resecurity",
"type": "Ransomware",
"date": "1/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': 'Legal', 'type': 'Law Firms'},
{'industry': 'Finance', 'type': 'Companies'},
{'industry': 'Healthcare', 'type': 'Companies'},
{'industry': 'Insurance', 'type': 'Companies'},
{'industry': 'Hospitality', 'type': 'Companies'}],
'attack_vector': ['Phishing Emails',
'Voice Phishing (Vishing)',
'Social Engineering',
'Remote Access Tools',
'Physical USB Drops'],
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Sensitive Data'},
'description': 'The Silent Ransom Group (SRG), also known as Chatty Spider, '
'Luna Moth, and UNC3753, has adopted a fast flux network to '
'conceal its infrastructure. The group primarily targets law '
'firms, finance, healthcare, insurance, and hospitality '
'sectors using voice phishing (vishing) and social engineering '
'to breach networks. SRG’s tactics include phishing emails '
'disguised as data migration or invoice requests, followed by '
'phone calls from operatives posing as IT specialists. Victims '
'are tricked into screen-sharing sessions and installing '
'remote access tools, sometimes even via physical USB drops. '
'SRG prioritizes data exfiltration over encryption, issuing '
'extortion threats within 30 minutes of stealing files. To '
'evade detection, SRG leverages a fast flux botnet, rapidly '
'rotating DNS records across compromised routers, modems, IoT '
'devices, and CPEs in 18 countries.',
'impact': {'brand_reputation_impact': True,
'data_compromised': True,
'identity_theft_risk': True,
'legal_liabilities': True},
'initial_access_broker': {'entry_point': ['Phishing Emails',
'Voice Phishing (Vishing)',
'Physical USB Drops']},
'motivation': 'Financial Gain (Extortion)',
'ransomware': {'data_exfiltration': True},
'references': [{'source': 'Resecurity'}],
'threat_actor': 'Silent Ransom Group (SRG) / Chatty Spider / Luna Moth / '
'UNC3753',
'title': 'Silent Ransom Group (SRG) Exploits Fast Flux Network to Evade '
'Detection',
'type': 'Ransomware / Data Extortion'}