Silent Ransom Group Uses DNS Fast Flux in Attacks

Summary

The Silent Ransom Group (SRG), also known as Chatty Spider, is employing a fast flux DNS technique to conceal its command and control infrastructure. This group primarily targets US law firms, using vishing and social engineering to gain access, and then focuses on data exfiltration rather than file encryption, threatening to leak stolen data. SRG has been active since at least 2022 and has been observed using compromised IoT and CPE devices across 18 countries to support its fast flux operations.

Full text

The infamous Silent Ransom Group (SRG) ransomware gang is relying on a fast flux network of infected devices to hide its infrastructure, Resecurity warns. Also tracked as Chatty Spider, Luna Moth, and UNC3753, SRG uses voice phishing (vishing) and social engineering to gain remote access to victims’ environments. The ransomware group typically sends phishing emails themed around data migration or invoices, and encourages recipients to engage in phone conversations with group members posing as IT specialists, who convince the victims to host screen-sharing sessions and install remote access software. SRG is mainly known for targeting law firms in the US, and for sending operatives in person to insert USB drives into victims’ computers, either for data exfiltration or malware deployment, a recent FBI alert revealed. In addition to law firms, the ransomware gang was seen targeting finance, healthcare, insurance, and hospitality firms, all of which handle sensitive information. After gaining access to a targeted organization’s environment, SRG typically focuses on lateral movement and data exfiltration, without deploying file-encrypting malware.Advertisement. Scroll to continue reading. Shortly after data exfiltration, often within 30 minutes, the threat actor sends extortion emails to the victim organization, threatening to publish the stolen data on its clear web data leak site. If the victim is unresponsive, the group contacts its employees and partners to increase the pressure. A new Resecurity report shows that SRG is also using a fast flux network of infected routers, modems, gateways, and other types of IoT and CPE (customer premises equipment) devices. A domain-based technique that relies on rapidly changing the DNS records of a legitimate domain, fast flux allows threat actors to hide their servers’ location by rotating numerous IP addresses and DNS name servers for the same domain name. For that, the threat actors need a large number of compromised hosts, and Resecurity has identified SRG fast flux nodes in 18 countries across Latin America, Eastern Europe, Central Asia, the Middle East, Africa, East Asia, and the Caribbean. Spread across 22 ISPs, the fast flux botnet has been used to rotate the DNS records for ep6pheij[.]com and business-data-leaks[.]com, two domains known to have been used by the ransomware group. “The SRG’s attacks have had a significant impact on the legal industry. Law firms accounted for almost a quarter of all ransomware-related incidents tracked in the first quarter of 2026, making it the fourth-most targeted industry. The SRG’s focus on data theft and extortion has contributed to this uptick,” Resecurity notes. According to a new Google report, SRG has been active since at least 2022, with some of its activities overlapping with those of UNC2686, known for BazarCall campaigns and for the use of TrickBot, Ursnif, and BazarLoader malware. Related: Five Eyes: Chinese Spies Target Government, Military Staff With Fake Job Opportunities Related: Chinese Cybercrime Group in Spotlight for Record Campaign Pace Related: UNC6692 Uses Email Bombing, Social Engineering to Deploy ‘Snow’ Malware Related: Hackers Leak DentaQuest Information Impacting 2.6 Million Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire Hackers Leak DentaQuest Information Impacting 2.6 MillionChrome 149 Patches 429 VulnerabilitiesFive Eyes: Chinese Spies Target Government, Military Staff With Fake Job OpportunitiesMirasvit Vulnerability Exploited to Execute Code on Magento ServersChinese Cybercrime Group in Spotlight for Record Campaign PaceOver 1.4 Million Accounts Disrupted in Cybercrime CrackdownCisco Warns of Available PoC for Critical Unified CM VulnerabilityKirki, Burst Statistics WordPress Plugin Flaws in Attackers’ Crosshairs Latest News 174,000 Impacted by Lansing Community College Data BreachOpenAI Rolling Out ChatGPT Account Security ControlsAnthropic Urges Industry Coordination to Allow for a ‘Pause’ in AI Development if Risks GrowSolarWinds Serv-U Vulnerability Exploited in the WildMeta Says 20,000 Instagram Accounts Hacked via AI Tool AbuseEmphere Raises $2.1 Million for AI-Powered Vulnerability RemediationOpal Security Raises $23 Million for AI-Native Identity GovernanceOWASP Incubator Project Helps Developers Find and Fix Vulnerable Dependencies in Seconds Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Third-Party Risk in Practice June 4, 2026 Organizations are investing heavily in third-party risk management, but breaches, delays, and blind spots continue to persist. Join this live webinar as we examine the gap between how organizations think their third-party risk programs are performing and what’s actually happening in practice. Register Virtual Roundtable: CISO Forum 2026 Mid-Year Review June 10, 2026 Explore how attackers are using AI to scale threats and how security teams can respond with AI-driven defenses. Protecting against unmonitored use of generative AI (Shadow AI) in business units and building and enforcing AI governance frameworks. Register People on the MoveOpal Security has appointed CPO, CTO, VP of Field Engineering, VP of Marketing, and Head of Product and Solutions Marketing.The Department of the Air Force has appointed Ashley Devoto as Chief Information Officer.Bartley Richardson has been named Chief AI and Autonomous Systems Officer at CrowdStrike.More People On The MoveExpert Insights The Zero-Knowledge Threat Actor and the End of Responsible Disclosure AI can help attackers generate malware, create malicious payloads, bypass simple security checks, and convert vague malicious intent into functional code. (Etay Maor) Raising the Cybersecurity Stakes: Ante up for the Agentic Era CISOs are now facing machine-speed attacks and asking, “How do I agent?” The industry must provide remediation at scale. (Nadir Izrael) Caught Off Guard: Securing AI After It Hits Production As enterprises rush AI projects into production, security teams are increasingly being forced into reactive mode. (Joshua Goldfarb) Cyber Resilience is the New Business Continuity Plan The organizations best prepared to face disruption are those that align security, continuity and risk management around what the business cannot afford to lose. (Steve Durbin) Enhancing Data Center Security Without Sacrificing Performance For AI data centers, where the stakes are the highest and performance constraints are the tightest, security and performance are no longer a zero-sum game. (Nadir Izrael) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• domain — ep6pheij[.]com
• domain — business-data-leaks[.]com

Entities