ctipilot.ch

FBI FLASH CSA 260526

campaign · campaign:fbi-flash-csa-260526-silent-ransom-group-physical-usb-attacks-us-law-firms

FBI FLASH CSA 260526 — Silent Ransom Group / Luna Moth / UNC3753 sends operatives physically into US law-firm offices to insert USB exfiltration devices when remote social engineering fails

Coverage timeline
1
first 2026-05-28 → last 2026-05-28
Entries
1
1 distinct days
Sources cited
3
3 hosts
Sections touched
1
active-threats
Co-occurring entities
0
no co-occurrence

Story timeline

  1. 2026-05-28FBI FLASH CSA 260526 — Silent Ransom Group sends operatives physically into US law-firm offices to insert USB exfiltration devices when remote social engineering fails
    active-threatsFBI FLASH CSA 260526 — Silent Ransom Group sends operatives physically into US law-firm offices to insert USB exfiltration devices when remote social

Where this entity is cited

  • active-threats1

Source distribution

  • cyberscoop.com1 (33%)
  • helpnetsecurity.com1 (33%)
  • therecord.media1 (33%)

Entries about FBI FLASH CSA 260526 (1)

2026-05-28 · view entry permalink →

FBI FLASH CSA 260526 — Silent Ransom Group sends operatives physically into US law-firm offices to insert USB exfiltration devices when remote social engineering fails

notable threat discovered 2026-05-28 05:00 UTC

The FBI issued CSA 260526 on 2026-05-26 warning that Silent Ransom Group (SRG; tracked variously across cited sources as Luna Moth, Chatty Spider and UNC3753, with the Storm-0252 designation specifically referenced by CyberScoop) — a Russia-linked extortion-only gang that does not deploy ransomware — has escalated its campaign against US law firms by physically sending operatives into victim offices impersonating IT support when remote access attempts fail (CyberScoop, 2026-05-27; The Record, 2026-05-27; Help Net Security, 2026-05-27). The kill chain begins with callback phishing — an email or call pretexting urgent IT support with a callback number; on the call, the actor attempts to establish a remote desktop session. If the target resists, an associate physically visits the office and attempts to insert a USB storage device into a workstation. CyberScoop, citing the FBI, reports the group has claimed more than 100 attacks.

ransomware organized-crime phishing insider-threat russia-nexus us europe