Resecurity has uncovered the Fast Flux network behind the Silent Ransom Group’s data-leak operation, mapping a botnet of compromised home internet connections that keeps the extortion crew’s infrastructure online and resistant to takedown.
The firm said it is the first to expose this infrastructure and is sharing the intelligence so ISPs and DNS providers can act.
Silent Ransom Group, also tracked as Luna Moth, Chatty Spider, and UNC3753, has operated since at least 2022. Rather than encrypting data, it steals confidential files, then extorts victims with the threat of publication, hitting record-heavy sectors including legal, medical, and financial services.
Inside the Fast Flux Network
Fast Flux hides malicious servers behind a constantly rotating set of IP addresses, using short DNS record lifetimes so infrastructure cannot easily be blocked or seized.
Resecurity found two of the group’s domains rotated their records every two to three minutes, each query returning ten to eighteen addresses, every one traced to a residential or mobile connection on a consumer ISP rather than a datacenter.
Querying the network through dozens of resolvers while spoofing requests from fifty locations, the firm found every location received the same addresses, ruling out a content-delivery network and pointing to a single server rotating whichever infected devices were online.
The two domains shared more than half their addresses, confirming one operator ran both. The botnet spanned eighteen countries and 22 ISPs, mostly concentrated in Latin America, with the infected devices likely vulnerable home routers and modems.
Who It Hits, and How to Respond
According to Mandiant, which tracks the group as UNC3753, the crew impersonates IT support over the phone, using a pretext such as a system migration to convince employees to start a screen-sharing session and install remote-access tools, sidestepping email and perimeter defenses.
In cases corroborated by an FBI advisory, operatives have escalated to entering offices in person, posing as technicians to copy data onto USB drives.
Resecurity noted legal services made up nearly a quarter of ransomware-related incidents in early 2026, and that close to one hundred organizations now appear on the group’s leak site.
The Fast Flux finding is most actionable for ISPs and DNS providers, whose cooperation is needed to identify infected devices and disrupt the rotating infrastructure.
For law firms, Mandiant’s recommended defenses sit on the human side: verifying unexpected IT contact through a known internal channel, restricting remote-access tool installation, and watching document repositories for unusual bulk access.
