FBI FLASH: Silent Ransom Group (Luna Moth/UNC3753) Escalates to Physical Intrusions at U.S. Law Firms — 100+ Attacks, 38 Firms Leaked

The FBI issued a FLASH-severity alert on May 26, 2026, warning that Silent Ransom Group (aka Luna Moth, Chatty Spider, UNC3753) has escalated its law-firm campaign to include physical in-person office intrusions, with operatives posing as IT support staff and inserting USB drives into workstations to exfiltrate attorney-client privileged data when remote social engineering fails. The Russia-linked group deploys no ransomware or malware — making traditional AV and EDR blind to the intrusion — relying entirely on legitimate RMM tools (AnyDesk, Splashtop, Syncro, Rclone) and direct physical access, with exfiltration staged to OneDrive or Google Drive. Over 100 attacks have been confirmed with 38 firms' data already published on the group's clearnet leak site; Halcyon tracked 134 law-firm ransomware incidents in Q1 2026 alone, with SRG as a primary driver.

Over 100 attacks have been confirmed with 38 firms' data already published on the group's clearnet leak site; Halcyon tracked 134 law-firm ransomware incidents in Q1 2026 alone, with SRG as a primary driver.

This intelligence brief has been compiled from open-source reporting and corroborated across multiple threat intelligence sources. Defenders should treat the high severity rating as a guide to prioritization within their environment.

For the latest indicators of compromise, formatted SIEM queries, and unredacted actor intelligence related to this brief, DMZ Operator subscribers receive automated IOC packages via email the moment new advisories are published.