DMZ//THREAT INTEL
FEED ACTIVELAST SYNC: 06:13:27ZSOURCES: 14CRITICAL: 30
⚠ ACTIVE ALERTS
@FalconFeedsio CRITICAL — 🚨 Ransomware Alert: The Gentlemen RaaS group continues active DLS postings. Now at 478… /// @DarkWebInformer CRITICAL — 🚨 ServiceNow discloses June 5 security update tied to anomalous activity — KB3067321.… /// @MsftSecIntel CRITICAL — MSTIC analysis of The Gentlemen ransomware (tracked internally): self-propagating… /// @GossiTheDog CRITICAL — ServiceNow KB3067321 situation is worse than the vendor comms suggest. Advisory was gated… /// @AlvieriD CRITICAL — The '340M OnlyFans' listing on the leak forum is a compiled corpus — seller confirmed to…
30Critical Threats
15Active CVEs
1IOCs Tracked
14New Advisories
INTEL FEED/ARCHIVE/DARK-WEB
DMZ INTEL DESK//FILED: 2026-06-09//08:13Z
CRITICAL#dark web

Silent Ransom Group (UNC3753) Escalates to Physical Office Intrusions Against U.S. Law Firms — Mandiant + FBI FLASH Confirm Data-Theft Compressed to Sub-Hour Timeline

Mandiant and the FBI have jointly confirmed that Silent Ransom Group (also tracked as UNC3753, Luna Moth, and Chatty Spider) targeted dozens of U.S. legal, financial, and professional-services organizations between January and May 2026, with some intrusions progressing from initial vishing contact to data exfiltration and extortion demand delivery in under one hour. The group's attack chain — invoice-themed lure email, fake IT support callback, RMM tool installation, WinSCP/Rclone exfiltration — requires no malware and leaves minimal forensic artifacts, making detection extremely difficult. Uniquely, the FBI has confirmed physical in-person office visits by operatives posing as IT staff who inserted USB storage devices to exfiltrate data, a tactic with no known parallels in the broader ransomware ecosystem. Resecurity also reports the group is now operating its leak site infrastructure behind fast-flux DNS spanning 18 countries.

Resecurity also reports the group is now operating its leak site infrastructure behind fast-flux DNS spanning 18 countries.

This intelligence brief has been compiled from open-source reporting and corroborated across multiple threat intelligence sources. Defenders should treat the critical severity rating as a guide to prioritization within their environment.

For the latest indicators of compromise, formatted SIEM queries, and unredacted actor intelligence related to this brief, DMZ Operator subscribers receive automated IOC packages via email the moment new advisories are published.

FILED UNDER:
silent-ransom-group · unc3753 · luna-moth · chatty-spider · vishing · rmm-abuse · law-firm-targeting · fast-flux · data-extortion · physical-intrusion · winscp · rclone · fbi-flash
STAY AHEAD OF THREATS
Daily intel briefs and IOC packages — delivered to your inbox the moment a new advisory drops.
SUBSCRIBE — $29/MO →
SHARE BRIEF:✕ Post on Xin Share on LinkedIn

RELATED ACTORS

ACTOR
SILENT RANSOM GROUP
CRIMINAL

MORE FROM ARCHIVE

# DARK WEB
2026-06-13
DOJ/Europol Dismantle AudiA6 Crypto Laundering Network That Washed $389M for Ransomware Gangs; Dark2Web Forum Also Seized
# DARK WEB
2026-06-13
OnyxC2 MaaS Infostealer Surfaces on Cybercrime Forums at $250/Month; Targets 210+ Apps via Cloudflare-Fronted C2 and Signed-Binary DLL Sideloading
# DARK WEB
2026-06-12
Europol/DOJ Dismantle AudiA6 Crypto-Laundering Service — €336M Processed for Ransomware Gangs Since 2021, Two Arrested in Georgia
# DARK WEB
2026-06-11
TheGentlemen Ransomware Lists Multiple New Victims Across Healthcare, Logistics, and Manufacturing in June 2026 Leak Site Postings — Multi-Sector Campaign Active