FBI Warns Silent Ransom Group Is Walking Into Law Firm Offices to Steal Data
The FBI issued a fresh flash alert warning that Silent Ransom Group — also known as Luna Moth, Chatty Spider, and UNC3753 — has escalated its campaign against U.S. law firms by physically sending operatives into offices posing as IT support staff, inserting storage devices into computers to exfiltrate data after remote social engineering attempts fail. The group doesn’t deploy ransomware or encrypt files, leaving no obvious indicators of compromise; instead it steals data silently and demands payment under threat of publishing it on a clearnet leak site, with more than 38 firms already listed and researchers estimating the actual attack count exceeds 100. Law firms should brief front desk and IT staff on the physical impersonation tactic, tighten remote desktop session approval workflows, and treat unsolicited in-person IT visits with the same skepticism as phishing emails.
MuddyWater Uses DLL Side-Loading in Espionage Campaign Targeting 9 Countries
Iran-linked MuddyWater compromised at least nine organizations across nine countries on four continents in Q1 2026, targeting industrial and electronics manufacturing, education, public-sector bodies, financial services, and professional services by DLL sideloading malicious code through legitimately signed Fortemedia and SentinelOne binaries. Victims included a major South Korean electronics manufacturer where attackers spent a week undetected, an international airport in the Middle East, Southeast Asian industrial manufacturers, and a Latin American financial services provider. The abuse of signed, trusted binaries to masquerade as benign software makes this campaign particularly difficult to detect with signature-based controls, and organizations should prioritize behavioral monitoring and anomaly detection over reliance on binary trust alone.
Ghost Stadium and 4,300 Fake FIFA World Cup Domains Put Fans at Risk
Group-IB identified more than 4,300 fraudulent domains impersonating FIFA’s official web presence — most sitting dormant and ready to activate as the 2026 World Cup approaches — with a Chinese-speaking threat actor tracked as Ghost Stadium operating more than 300 phishing sites built on a single kit that reproduces FIFA’s login flow so convincingly it pulls logos and images directly from FIFA’s own content delivery network to evade detection. The broader campaign spans six fraud schemes and four independent threat actor groups simultaneously working the same event, with around 2,500 stolen FIFA credentials already trading on dark-web markets and Group-IB estimating premium ticket fraud alone could cost victims between $71 million and $474 million. Fans should buy tickets and hospitality packages exclusively through official FIFA channels, treat any deal sourced through social media or search results with extreme skepticism, and avoid entering credentials on any site that wasn’t navigated to directly.
Glassworm Botnet Disrupted After Takedown of Blockchain and BitTorrent C2 Infrastructure
CrowdStrike, Google, and The Shadowserver Foundation simultaneously took down all four command-and-control channels used by the Glassworm botnet, which had been targeting software developers via malicious VS Code and OpenVSX extensions since October 2025 before expanding into GitHub repositories, npm packages, and PyPI projects — compromising more than 400 software artifacts in a single March 2026 wave. What made Glassworm unusually resilient was its use of the Solana blockchain to encode C2 addresses in immutable transaction memo fields, with Google Calendar and BitTorrent DHT as fallback channels — a layered design specifically engineered to survive conventional takedown attempts. The disruption cuts off operator access to infected machines and halts fresh payload delivery, but developers who installed affected extensions should still rotate GitHub and npm credentials and audit any code published during the infection window for signs of tampering.
Dutch authorities arrested two men and seized 800 servers tied to a hosting provider that investigators say enabled Russian cyberattacks, disinformation campaigns, and economic disruption operations, with the arrests stemming from alleged violations of EU sanctions laws for making economic resources available to sanctioned entities including Stark Industries. The seized infrastructure underpinned DDoS attacks attributed to Russia-aligned groups including NoName057(16) against EU targets, and the physical hosting layer was supplied by Dutch firm Mirhosting, which routed Stark’s traffic into major European internet exchanges in Amsterdam and Frankfurt. The action is notable for targeting the enabling infrastructure layer rather than just the hackers themselves — a strategy that raises the operational cost for state-linked actors who depend on Western hosting providers to disguise the origin of their attacks.
