Silent Ransom Group (SRG): Switching To DNS Fast Flux Infrastructure

Pierluigi Paganini
June 05, 2026

Researchers exposed the Silent Ransom Group ‘s Fast Flux infrastructure as the FBI warns of ongoing attacks targeting U.S. law firms and businesses.

Resecurity uncovered the Silent Ransom Group (SRG)’s Fast Flux network infrastructure and shares available intelligence with the cybersecurity community to disrupt their malicious activities and enable ISP/DNS providers to counter this threat.

“Resecurity is the first to uncover the SRG’s Fast Flux network infrastructure and is sharing this intelligence with the cybersecurity community to disrupt their malicious activities and enable ISP/DNS providers to counter this threat.” reads the report published by Resecurity.

The Silent Ransom Group, also known as Luna Moth, Chatty Spider, and UNC3753, is a cyber extortion group active since 2022 that focuses on stealing sensitive data and extorting victims rather than encrypting files. The group primarily targets organizations in sectors such as legal services, healthcare, hospitality, finance, and insurance.

The experts also outlined the use of X-CSRF (Cross-Site Request Forgery) token to prevent indexing of their Data Leak Site (DLS) – a unique, secret, and unpredictable string that a server-side application generates and assigns to a user’s session.

The Federal Bureau of Investigation (FBI) recently issued an advisory about the SRG, which is actively targeting U.S.-based law firms and other industries through social engineering and in-person attacks.

The Fast Flux nodes were identified in Latin America (Brazil, Mexico, Argentina, Ecuador, Colombia, Bolivia, Costa Rica, Peru, Panama), Eastern Europe (Bulgaria, Croatia, North Macedonia), Central Asia (Uzbekistan, Kyrgyzstan), Middle East/Africa (Egypt, Saudi Arabia, Tunisia), East Asia (South Korea), and Caribbean (Jamaica, Dominican Republic). The bots are likely infected via vulnerable IoTs and Customer Premises Equipment (CPE) — such as routers, modems, and gateways. New underground projects have been identified that could be linked to the SRG (by profile, targets and the mapped infrastructure), including Spy Corporate, which emerged in May 2026. Fast Flux provides the SRG with resilient infrastructure to extort top AmLaw 100 firms and other victims.

Last year, the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), Canadian Centre for Cyber Security (CCCS), and New Zealand National Cyber Security Centre (NCSC-NZ) released a joint advisory “Fast Flux: A National Security Threat,” highlighting the importance of collaboration between the private and public sectors.

The SRG’s botnet appears to rely on compromised IoT devices and customer equipment such as routers, modems, and gateways. Researchers also found links to other underground projects, including Spy Corporate, launched in May 2026. The group uses Fast Flux infrastructure to make its operations more resilient while targeting major law firms for extortion.

“Based on further analysis, other underground projects have been identified that could be linked to the SRG, including Spy Corporate, which emerged in May 2026. Fast Flux provides the SRG with resilient infrastructure to extort top AmLaw 100 firms.” concludes the report, which includes technical details about the Fast Flux Infrastructure.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon