Silent Ransom Group (Luna Moth / UNC3753) Escalates to Physical Office Intrusion Against U.S. Law Firms — FBI Issues FLASH-Severity Alert as 38+ Victims Published

The Silent Ransom Group, also tracked as Luna Moth and UNC3753, has evolved its attack chain to include in-person physical intrusion: when vishing calls fail to secure remote access, operatives — possibly hired gig workers unaware they're committing a crime — physically enter law firm offices posing as IT support and exfiltrate data via USB drives directly to WinSCP or disguised Rclone, leaving zero malware artifacts and triggering no EDR alerts. The FBI issued FLASH-20260526-01, its first FLASH-severity warning on this actor, after more than 38 U.S. law firms were listed on SRG's clearnet leak site (business-data-leaks[.]com) with ransom demands ranging from $1M to $8M; victims include Orrick Herrington & Sutcliffe, Jones Day, and Ropers Majeski. Resecurity also identified a new SRG-linked infrastructure project 'Spy Corporate' using fast-flux DNS and shared IPs with the group's existing clearnet DLS, indicating the group is hardening against takedowns.

The FBI issued FLASH-20260526-01, its first FLASH-severity warning on this actor, after more than 38 U.S.

This intelligence brief has been compiled from open-source reporting and corroborated across multiple threat intelligence sources. Defenders should treat the high severity rating as a guide to prioritization within their environment.

For the latest indicators of compromise, formatted SIEM queries, and unredacted actor intelligence related to this brief, DMZ Operator subscribers receive automated IOC packages via email the moment new advisories are published.