FBI FLASH CSA 260526 — Silent Ransom Group / Luna Moth / UNC3753 sends operatives physically into US law-firm offices to insert USB exfiltration devices when remote social engineering fails

The FBI issued CSA 260526 on 2026-05-26 warning that Silent Ransom Group (SRG; tracked variously across cited sources as Luna Moth, Chatty Spider and UNC3753, with the Storm-0252 designation specifically referenced by CyberScoop) — a Russia-linked extortion-only gang that does not deploy ransomware — has escalated its campaign against US law firms by physically sending operatives into victim offices impersonating IT support when remote access attempts fail (CyberScoop, 2026-05-27; The Record, 2026-05-27; Help Net Security, 2026-05-27). The kill chain begins with callback phishing — an email or call pretexting urgent IT support with a callback number; on the call, the actor attempts to establish a remote desktop session. If the target resists, an associate physically visits the office and attempts to insert a USB storage device into a workstation. CyberScoop, citing the FBI, reports the group has claimed more than 100 attacks.

Defender takeaway: the in-person USB tactic is operationally unusual — it requires geographic proximity and a credible IT impersonation persona, which suggests SRG maintains a roster of field operatives in US cities. European law firms with US counterpart offices or US client matters should treat themselves as in scope. Detection: USB-device-insertion events (Windows Security EID 6416 / Sysmon EID 6) on workstations correlated with callback-phishing precursor in mail-security telemetry and with an unfamiliar visitor in physical access logs; flag remote-desktop session initiation by non-IT accounts (EID 4624 Logon Type 10). Hardening: enforce Conditional Access requiring a compliant / managed device for all remote-desktop pathways; disable USB mass-storage on user endpoints via Device Installation policy or EDR enforcement; require second-person authorisation at reception for any visitor claiming IT support.