SendTech Times
CybersecurityAnalysis|June 8, 2026 at 12:34 PM
MARKET SIGNAL:

Silent Ransom Group Uses Fake IT Support Calls to Pressure Law Firms

Article summary

Silent Ransom Group is targeting U.S. law firms and professional services organizations with fake IT support calls, remote access tools and rapid data-theft extortion. Mandiant links the activity to UNC3753, Luna Moth and Chatty Spider, while the FBI has warned of related social engineering and in-person theft attempts.

Silent Ransom Group Uses Fake IT Support Calls to Pressure Law Firms
Image source: BleepingComputer

Fake help desks put law-firm data at the center of the attack

Silent Ransom Group is using fake IT support calls to target U.S. law firms and professional services organizations, with Mandiant warning that data theft can follow within hours of the first contact.

The campaign is significant because the group is not relying on a conventional ransomware detonation.

Its pressure point is the legal sector’s concentration of sensitive client files and the reputational cost of a public data leak.

Mandiant tracks the actor as UNC3753 and also links it to the names Luna Moth and Chatty Spider.

The activity described in the report spans January to May 2026 and includes dozens of organizations across legal, financial and professional services.

The FBI also issued a FLASH advisory last week warning that U.S. law firms were being targeted through social engineering and in-person data theft attempts.

The intrusion starts with a benign-looking email and a voice call

The initial lure is deliberately low on malware indicators.

Attackers send invoice-themed phishing emails from consumer email accounts, but the messages do not carry malicious links or attachments.

Their role is to prepare the victim for a follow-up phone call in which the attacker impersonates corporate IT staff.

That callback model is familiar from BazarCall campaigns previously tied to Ryuk and Conti ransomware operations.

In this campaign, the attacker pushes the employee into a remote support session through Microsoft Teams, Zoom, Quick Assist or Microsoft Terminal Services.

During the session, the attacker steers the employee toward installing legitimate remote administration software.

The named tools include AnyDesk, Zoho Assist, Bomgar and SuperOps, and the installation gives the actor initial access without needing to defeat endpoint defenses through a malicious attachment.

Remote support tools become the path to legal files

Once inside, the group looks for sensitive legal and financial material.

The source lists contracts, tax records, Social Security numbers, merger and acquisition files, document management platforms and cloud storage repositories as targets.

Exfiltration is commonly performed with tools such as WinSCP or Rclone.

Mandiant also found phishing domains that imitate internal IT portals and use naming patterns designed to look like corporate help-desk infrastructure.

The group uses privnote[.]com to pass installation links and commands during support sessions.

Because the service destroys messages, the method can reduce evidence left in browser histories or corporate chat logs.

Extortion moves quickly after the theft

The operational tempo is one of the clearest warnings for law firms.

Mandiant says ransom demands often arrive within 30 minutes after the attackers leave a victim environment.

The letters give the organization a three-day deadline to respond and start negotiations.

If the victim does not engage, the actor threatens to contact employees and external clients directly.

The letters emphasize client trust, regulatory exposure and the possibility that clients could sue over data mishandling.

That pressure is tailored to legal services, where client confidentiality and deal files can be more damaging than downtime.

In-person theft remains an unresolved but connected risk

The FBI advisory adds another route: attackers impersonating IT staff by phone or email may try to visit offices physically to image computers or create backups while stealing files.

Mandiant said forensic evidence is limited, but it views the in-person activity as likely connected to UNC3753 because the targeting, timelines and behavior match.

Silent Ransom Group has been active since at least 2022, after earlier links to the Ryuk and Conti cybercrime ecosystem.

The group later shifted toward standalone data-theft extortion, where stolen information becomes the leverage instead of encrypted systems.

A separate Resecurity report says the gang is also using fast-flux infrastructure and residential IP addresses across multiple regions to protect data-leak platforms.

Defenses focus on verification and remote-access control

The practical response is not limited to email filtering.

Mandiant and the FBI recommend strict verification for IT support interactions, tighter control over remote access tools, MFA enforcement, USB storage restrictions and employee training against voice phishing.

For law firms and professional services organizations, the watchpoint is whether support workflows can prove the caller’s identity before a remote session begins.

The source does not confirm every in-person case as UNC3753, but it does show that the group’s current playbook combines voice-led social engineering, legitimate remote tools, rapid file theft and pressure tactics designed for high-value client data.

Share this article
inXf

Related articles

More
NFSP Ransomware Attack Turns Supplier Email Pause Into a Security-Control Test
Cybersecurity

NFSP Ransomware Attack Turns Supplier Email Pause Into a Security-Control Test

The National Federation of Subpostmasters was hit by ransomware after a cPanel-related hosting software bug was exploited. The NFSP was targeted on 30 April, and the Post Office paused some email interactions with the federation while saying branch operations were not affected. The immediate test is whether trusted communications can resume without pushing subpostmasters toward insecure workaround channels.

Cisco Unified CM Flaw Puts WebDialer Exposure Under Patch Pressure
Cybersecurity

Cisco Unified CM Flaw Puts WebDialer Exposure Under Patch Pressure

Cisco disclosed fixed-release guidance for a critical Unified Communications Manager flaw that can let attackers gain root privileges when WebDialer is enabled. Cisco PSIRT is aware of public proof-of-concept exploit code for CVE-2026-20230, though it has not found active exploitation or targeting. The immediate test is whether administrators patch Unified CM or disable WebDialer before proof-of-concept code turns into wider exposure.

Palo Alto Sell-Off Shows AI Cybersecurity Demand Still Has a Timing Problem
Cybersecurity

Palo Alto Sell-Off Shows AI Cybersecurity Demand Still Has a Timing Problem

Palo Alto Networks shares fell more than 4% after stronger quarterly results and current-quarter guidance failed to satisfy investors looking for faster AI-linked earnings upside. CEO Nikesh Arora reiterated a fiscal 2030 target of more than 4,000 platformizations and a USD 20 billion NGS ARR goal. The practical test is whether AI-related security demand turns into NGS ARR progress as data center infrastructure is ordered, installed and brought online.

ChatGPT Lockdown Mode Narrows AI Data Exfiltration Paths
Cybersecurity

ChatGPT Lockdown Mode Narrows AI Data Exfiltration Paths

OpenAI is rolling out Lockdown Mode for eligible ChatGPT users to reduce data exfiltration risk from prompt injection. The optional setting limits outbound web and tool capabilities, trading some product flexibility for stronger containment around sensitive workflows.

Keep Reading

More Stories

Latest
Alphabet’s $85 Billion AI Financing Push Tests Data Center Investor AppetiteCloud & Data CentersJun 8, 2026Alphabet’s $85 Billion AI Financing Push Tests Data Center Investor AppetiteAlphabet is seeking $85 billion in equity financing after raising its capex outlook to as high as $190 billion. The company is presenting Google Cloud growth, AI adoption and lower Gemini serving costs as evidence that its data center spending can support long-term AI demand.Apple WWDC 2026 Turns Siri Into the Test of Its AI CredibilityAIJun 8, 2026Apple WWDC 2026 Turns Siri Into the Test of Its AI CredibilityApple is expected to put Siri back at the center of WWDC 2026 after delays to its promised Apple Intelligence assistant. The event is likely to test whether Apple can turn contextual awareness, chatbot-style interaction and agentic voice tasks into reliable platform features.Smart TV Proxy SDKs Turn Free Apps Into a Hidden AI Scraping Supply ChainCybersecurityJun 7, 2026Smart TV Proxy SDKs Turn Free Apps Into a Hidden AI Scraping Supply ChainBright Data's SDK has been reverse-engineered in research showing how free apps can turn consumer devices, including smart TVs, into residential proxy nodes for web-scraping traffic. The issue matters because AI data harvesting is increasing demand for residential IPs, while consent screens and background network behavior may not be clear to users or IT teams.Stratos Data Center Cuts Utah Plan as Water Backlash Tests AI Infrastructure GrowthAIJun 7, 2026Stratos Data Center Cuts Utah Plan as Water Backlash Tests AI Infrastructure GrowthA Kevin O'Leary-backed Utah data center plan has been cut back after water and transparency objections, showing how local resistance can reshape AI infrastructure projects.Dubai Hotels Turn to Residents as Tourism Shock Tests Luxury DemandEconomyJun 7, 2026Dubai Hotels Turn to Residents as Tourism Shock Tests Luxury DemandDubai luxury hotels are using resident staycation discounts to offset weaker international tourism, but the source shows weekend demand cannot fully replace longer foreign stays.Ciena's $50 Billion AI Network Target Puts Optical Capacity on the Hyperscaler ClockChips & SemiconductorsJun 7, 2026Ciena's $50 Billion AI Network Target Puts Optical Capacity on the Hyperscaler ClockCiena says AI demand could roughly double its addressable market to about $50 billion by 2029 as hyperscalers and service providers invest in optical networking. It cited RLS Hyper Rail, DCOM, coherent modules and 400G/800G pluggable optics as demand areas while planning $250 million to $275 million in capex this year. The practical test is whether AI compute buildouts convert into durable network orders.liko.ai Funding Turns Edge AI Into a Smart-Home Hardware TestAIJun 7, 2026liko.ai Funding Turns Edge AI Into a Smart-Home Hardware Testliko.ai completed its first-round financing to fund edge-side vision-language models, AI-native hardware and multi-modal home terminals. The investor group includes Shangtang Guoxiang Capital, Orient Fortune Capital, iFlytek Venture Capital, Hongtai Fund, Zhengxuan Investment and Mianbi Intelligence. The practical test is whether the startup can turn camera-based edge AI into a consumer smart-home hub without relying on cloud processing.Impact Circle Turns Impact Finance Into a Japan Fintech Measurement TestFintech & Digital PaymentsJun 7, 2026Impact Circle Turns Impact Finance Into a Japan Fintech Measurement TestTokyo-based Impact Circle is building a fintech model that measures social impact through its own lending and visualization businesses. The company won the Tokyo Financial Award 2025 financial innovation category and raised 335 million yen in a November 2024 Series A round. The next signal is whether Impact Cloud IC can turn impact measurement into a repeatable workflow for investors and Japanese corporations.ByteDance Raises Volcano Engine AI Revenue Target on Seedance 2.0 DemandAIJun 7, 2026ByteDance Raises Volcano Engine AI Revenue Target on Seedance 2.0 DemandByteDance’s Volcano Engine raised its full-year MaaS revenue target to RMB 15 billion after Seedance 2.0 became a larger AI revenue contributor. Seedance 2.0 is described as generating more than RMB 1 billion in monthly revenue, while average daily token consumption has grown by nearly 40% month-on-month. The practical test is whether Volcano Engine can keep video-generation usage converting into paid token consumption beyond high-usage content segments.Microsoft Uses Build 2026 to Push Agents Beyond CopilotAIJun 7, 2026Microsoft Uses Build 2026 to Push Agents Beyond CopilotMicrosoft used its Build 2026 keynote to introduce MAI models, Project Soltera and Microsoft Scout as part of a broader agent strategy. MAI-Thinking-1 is described as a 35-billion-parameter reasoning model with a 128,000-context window for multi-step instructions, long-context reasoning and code generation. The announcement gives Microsoft a clearer agent roadmap, but the source does not provide customer rollout data, pricing or enterprise adoption evidence.IPA Translation Turns CISA Security Goals Into A Japan Infrastructure BaselineCybersecurityJun 7, 2026IPA Translation Turns CISA Security Goals Into A Japan Infrastructure BaselineJapan’s Information-technology Promotion Agency published a Japanese translation of CISA’s Cross-Sector Cybersecurity Performance Goals Version 2.0 for domestic critical infrastructure operators. The guidance covers IT and operational technology, maps goals to NIST CSF 2.0, and frames the controls as minimum practices rather than a full cybersecurity program. The practical test is whether asset owners use the worksheet to rank gaps by cost, complexity and impact, then review progress after 12 months.Quant Firms Turn Prediction Markets Into a Crypto Trading Infrastructure TestCrypto/Web3Jun 7, 2026Quant Firms Turn Prediction Markets Into a Crypto Trading Infrastructure TestDRW, Wintermute and IMC are building or hiring for prediction-market trading desks as Polymarket and Kalshi attract institutional attention. During 2025, Polymarket handled a reported $22 billion to $40 billion across politics, economics and sports, while three sports markets topped $730 million together. The practical test is whether institutional trading models can exploit cross-platform inefficiencies without displacing specialist sports-betting groups.