A cyber extortion group known for targeting law firms and other sensitive industries is now using a fast-flux botnet infrastructure to make its data leak operations harder to track and disrupt, according to new research by Resecurity.
The group, known as Silent Ransom Group, or SRG, has been active since at least 2022. It is also tracked under names such as Luna Moth, Chatty Spider and UNC3753. Unlike traditional ransomware gangs, SRG does not usually encrypt victims’ files. Instead, it steals sensitive data and pressures organisations to pay by threatening to publish or sell the information.
The FBI recently issued an advisory warning that SRG has been targeting U.S.-based law firms and other industries through social engineering and even in-person attacks. Resecurity’s latest threat intelligence report adds a new dimension to the threat, saying the group is using clearnet data leak sites and fast-flux DNS infrastructure to keep its operations resilient against takedowns.
READ FULL REPORT: Silent Ransom Group (SRG): Uncovering DNS Fast Flux Infrastructure
FCRF’s Flagship Cyber Law Certification Returns With a New Four-Week Cohort
Fast flux is a cybercriminal technique in which malicious domains constantly rotate through a large number of IP addresses, often using compromised devices such as routers, modems and other customer premises equipment. This makes it difficult for investigators, internet service providers and security teams to identify and block the real backend infrastructure.
According to Resecurity, two domains linked to SRG, business-data-leaks[.]com and ep6pheij[.]com, were found rotating DNS records through residential and mobile IP addresses. The company said both domains were backed by a botnet spread across 18 countries and 22 internet service providers. The nodes were identified across Latin America, Eastern Europe, Central Asia, the Middle East, Africa, East Asia and the Caribbean.
Resecurity said the infrastructure did not contain datacenter or hosting IPs. Instead, every node traced back to consumer internet service providers, suggesting that compromised residential devices were being used to hide the group’s operations.
The investigation found that each DNS query returned between 10 and 18 IP addresses at a time. These IPs changed every two to three minutes. Resecurity said the rotation was time-based and controlled by a backend command-and-control server, rather than being part of a legitimate content delivery network or geo-load balancing system.
The company also found that the two domains shared around 50 to 60 percent of the same bot pool, which it said indicated that both were operated by the same threat actor. Nine IP addresses appeared in the rotation pools of both domains, including nodes in North Macedonia, Croatia, Bulgaria, Ecuador, Mexico, Argentina, Uzbekistan and Egypt.
“Bottom line: This is a professional-grade fast-flux botnet, not an amateur setup,” the report said, adding that the operator controls at least 24 compromised hosts and uses them to hide infrastructure behind rotating residential IPs.
SRG’s focus on law firms has raised concern because legal organisations hold highly sensitive client data, including privileged communications, intellectual property, confidential legal documents and information related to ongoing lawsuits. Such data can be extremely damaging if leaked publicly, making law firms attractive targets for extortion groups.
The group’s attack methods include callback phishing, voice phishing and impersonation of IT support staff. In some cases, SRG has allegedly sent individuals into law firm offices posing as IT personnel to gain physical access to systems. The group also targets third-party vendors and supply chain partners to reach law firms indirectly.
Once inside a network, SRG focuses on stealing data rather than deploying encryption-based ransomware. This approach allows the group to bypass some of the protections organisations use against ransomware, such as backup restoration.
Resecurity said SRG operates a clearnet data leak site instead of relying only on Tor, which is more commonly used by ransomware gangs. The use of clearnet makes the site easier for victims, journalists and the public to access. This increases pressure on victims by making the threat of exposure more visible.
The group’s data leak site reportedly lists nearly 100 victim organisations as of June 2026. New victims were added at the beginning of the month, and Resecurity warned that more organisations may be targeted.
The report also identified another possible project linked to SRG called Spy Corporate, which emerged in May 2026. Resecurity said the domain spycorp[.]pro used a similar token-based mechanism and shared IPs with the original SRG fast-flux infrastructure, suggesting a direct connection.
Resecurity also noted that some IPs in the fast-flux infrastructure had previously been mapped to CVV Union, a carding shop, and Omerta, a dark web carding and cyberfraud forum associated with stolen payment card data, personally identifiable information and cash-out schemes.
The findings come months after cybersecurity agencies from the United States, United Kingdom, Australia, Canada and New Zealand issued a joint advisory warning that fast flux has become a national security concern. The advisory called for stronger cooperation between public and private sector organisations to disrupt such infrastructure.
Resecurity said SRG’s use of fast flux shows the group’s growing sophistication and underlines the need for law firms and other sensitive organisations to strengthen cybersecurity controls.
Security experts recommend that law firms train employees to identify phishing and vishing attempts, enforce multi-factor authentication, verify IT support requests through trusted channels, restrict physical access to systems, monitor third-party risk and maintain strong incident response plans.
The threat is particularly serious for the legal sector. Resecurity said law firms accounted for nearly a quarter of all ransomware-related incidents tracked in the first quarter of 2026, making the sector the fourth-most targeted industry.
For law firms, the risk is no longer limited to data encryption or operational disruption. Groups like SRG are using stolen information itself as leverage, turning confidentiality into a pressure point for extortion.
