The Federal Bureau of Investigation has issued a critical warning about an increasingly sophisticated cybercriminal organization known as the Silent Ransom Group (SRG), which has been conducting targeted attacks against law firms and other organizations through deceptive IT support calls.
The threat actor, also operating under the aliases Luna Moth, Chatty Spider, and UNC3753, has been active since 2022 and has recently evolved its tactics to become more direct and aggressive in compromising victim systems.
Initially recognized for their callback phishing campaigns that masqueraded as subscription services requiring cancellation calls, SRG has significantly transformed its operational methodology.
.png
)
The group historically sent fraudulent emails claiming small subscription charges, prompting victims to call a provided number where threat actors would guide them to download remote access software.
The Internet Crime Complaint Center (IC3) analysts identified that starting in March 2025, the group shifted to a more proactive approach, directly contacting employees while impersonating their company’s IT department personnel.
The impact of SRG’s operations has been particularly severe within the legal sector, with law firms becoming primary targets due to the highly sensitive nature of legal industry data.
The group’s preference for targeting legal organizations stems from the valuable confidential information these entities possess, including client communications, case files, and privileged attorney-client materials.
Beyond law firms, SRG has also victimized companies in the medical and insurance industries, demonstrating their adaptability across sectors with valuable data assets.
The group’s current attack methodology represents a concerning evolution in social engineering tactics, as they exploit the trust relationship between employees and their IT support teams to gain unauthorized system access.
Advanced Social Engineering and Remote Access Exploitation
SRG’s sophisticated attack methodology relies heavily on exploiting legitimate remote access tools to avoid detection by traditional security measures.
When threat actors successfully convince employees to grant remote access through platforms such as Zoho Assist, Syncro, AnyDesk, Splashtop, or Atera, they instruct victims that maintenance work must be performed overnight, providing cover for extended unauthorized access periods.
Once inside the compromised system, SRG demonstrates remarkable efficiency by conducting minimal privilege escalation and immediately pivoting to data exfiltration activities using tools like WinSCP for Windows Secure Copy operations or hidden versions of Rclone for cloud storage transfers.
The group’s technical proficiency is evident in their ability to operate within victim environments while leaving minimal forensic artifacts, making their activities particularly challenging for network defenders to detect and attribute.
Equip your SOC team with deep threat analysis for faster response -> Get Extra 𝗦𝗮𝗻𝗱𝗯𝗼𝘅 𝗹𝗶𝗰𝗲𝗻𝘀𝗲𝘀 for Free
