Silent Ransom Group Targets Law Firms With Fake IT Support Calls

The Silent Ransom Group, tracked by Mandiant as UNC3753 (also known as Luna Moth and Chatty Spider), is actively targeting U.S. law firms and professional services organizations with callback phishing attacks that have led to data theft within hours of initial contact. Between January and May 2026, the threat actor hit dozens of organizations across the legal, financial, and professional services sectors, according to a new Mandiant report that expands on a recent FBI FLASH advisory. Legal firms remain especially attractive targets because they store large volumes of highly sensitive client transaction files, M&A plans, trade secrets, and regulatory filings, and may be pressured to resolve extortion incidents quietly to protect their professional standing.

The intrusions begin with invoice-themed phishing emails sent from consumer email accounts, containing no malicious links or attachments. These emails serve solely as a precursor for follow-up phone calls in which attackers impersonate corporate IT help desk staff, a callback phishing technique previously tied to BazarCall campaigns associated with Ryuk and Conti ransomware operations. During the calls, the actors convince employees to join remote support sessions via Microsoft Teams, Zoom, Quick Assist, or Microsoft Terminal Services, then trick them into installing remote monitoring and management (RMM) tools such as AnyDesk, Zoho Assist, Bomgar, or SuperOps, granting the threat actors initial access to the corporate network. Researchers also identified phishing domains impersonating internal IT portals using naming patterns like -itdesk[.]com, -it[.]com, and -helpdesk[.]com, which can be investigated with a WHOIS lookup.

To exfiltrate data covertly, the Silent Ransom Group has been observed using privnote[.]com, a self-destructing messaging service, to share stolen information with victims as proof of compromise. Because the attacks rely entirely on social engineering and legitimate remote access tools rather than exploits or malware payloads, traditional endpoint detection often fails to flag the initial intrusion. Security teams are advised to audit exposed remote access endpoints using a port scanner, enforce strict verification procedures for any unsolicited IT support calls, and restrict the installation of unauthorized RMM software.

Organizations should also review their exposure to social engineering by running a privacy checkup and ensuring that employees cannot be added to unsolicited Teams or Zoom sessions by external parties. Mandiant and the FBI recommend that any law firm receiving suspicious invoice emails followed by unexpected IT support calls immediately isolate affected endpoints, revoke active remote sessions, and preserve logs for incident response review.