✨ The Containment Era is here. Secure AI workloads before they breach. →The Containment Era is here. →The Containment Era is here. →Explore ✨
Law Practice/Law Firms
Breach intelligence, attack campaigns, and threat reports targeting the Law Practice/Law Firms sector.
Explore Other Sectors
Law Practice/Law Firms Threat Reports
'Lorem Ipsum' Malware Shifts to ClickFix Delivery in 2026
In May 2026, the operators of the 'Lorem Ipsum' malware campaign transitioned from using Trojanized Microsoft Teams installers to employing ClickFix lures hosted on compromised WordPress sites. This shift followed Microsoft's takedown of the Fox Tempest infrastructure, which had previously supplied the attackers with fraudulent Microsoft Trusted Signing certificates. The new delivery method involves fake browser update notifications that prompt users to execute malicious PowerShell commands, leading to the silent installation of the malware. This change significantly broadens the potential victim pool, as any visitor to the compromised sites is now at risk. The 'Lorem Ipsum' campaign is now believed to be linked to the Vice Society ransomware group, also known as Rapid Brigantine or Vanilla Tempest. Vice Society has a history of targeting sectors such as education, healthcare, and manufacturing, employing double extortion tactics by encrypting data and threatening to leak it unless a ransom is paid. The group's ability to rapidly adapt its delivery methods in response to disruptions underscores the evolving nature of cyber threats and the importance of robust, adaptive cybersecurity measures.
1 week ago
Kill Chain
NSO Group's Continued Targeting of WhatsApp Users Despite Legal Prohibitions
In June 2026, WhatsApp identified and disrupted a spear-phishing campaign linked to the NSO Group, a spyware firm previously barred by a court order from targeting WhatsApp users. The attackers attempted to deceive users into clicking malicious links leading to external websites, aiming to install spyware on their devices. This incident follows a 2019 campaign where NSO exploited a WhatsApp vulnerability to target approximately 1,400 users, leading to a lawsuit and a permanent injunction against NSO. ([techcrunch.com](https://techcrunch.com/2026/06/08/whatsapp-says-it-caught-new-spyware-attacks-linked-to-nso-group-in-violation-of-court-order/?utm_source=openai)) The recurrence of such attacks underscores the persistent threat posed by spyware firms and highlights the challenges in enforcing legal restrictions against them. Organizations must remain vigilant and proactive in defending against sophisticated phishing and spyware campaigns that continue to evolve despite legal deterrents.
2 weeks ago
Kill Chain
Silent Ransom Group's Bold Tactics: A Wake-Up Call for Law Firms
Between January and May 2026, the Silent Ransom Group (SRG), also known as UNC3753, targeted numerous U.S. law firms through a sophisticated data theft extortion campaign. The attackers employed a combination of voice phishing (vishing), social engineering, and physical office intrusions. Initially, they contacted employees via phone calls or phishing emails, posing as IT support to gain remote access. If these attempts failed, SRG operatives visited offices in person, impersonating IT staff to physically access systems and exfiltrate sensitive data using USB drives or external hard drives. The stolen data included contracts, personal information, and financial records, which were then used to extort victims under the threat of public disclosure. ([darkreading.com](https://www.darkreading.com/cyberattacks-data-breaches/silent-ransom-us-law-firms-extortion-attacks?utm_source=openai)) This incident underscores a concerning evolution in cybercriminal tactics, blending traditional social engineering with physical infiltration. The legal sector, handling highly sensitive client information, remains a prime target. Organizations must enhance their security protocols, including employee training on social engineering, stringent verification processes for IT support requests, and robust physical security measures to prevent unauthorized access.
2 weeks ago
Kill Chain
UNC3753's 2026 Data Theft Campaign: A Blend of Vishing and Physical Intrusions
Between January and May 2026, the threat actor UNC3753, also known as Chatty Spider, Luna Moth, and Silent Ransom Group (SRG), targeted numerous U.S. organizations in the professional, legal, and financial sectors. Utilizing voice phishing (vishing) and social engineering tactics, they impersonated IT support to gain remote access via screen-sharing sessions and remote monitoring tools. In some cases, attackers physically infiltrated offices, posing as IT technicians to exfiltrate data using USB devices. Stolen information included proprietary legal agreements, personally identifiable information (PII), and financial records. The group rapidly demanded ransoms, threatening to publish the stolen data if payments were not made promptly. This incident underscores the evolving tactics of cybercriminals, combining traditional social engineering with physical intrusion methods. The rapid execution of these attacks, often completed within a single business day, highlights the need for organizations to enhance their security awareness training and implement robust verification processes for IT support interactions.
2 weeks ago
Kill Chain
Silent Ransom Group Exploits Law Firms with Sophisticated Social Engineering Attacks
In early 2026, the Silent Ransom Group (SRG), also known as Luna Moth and Chatty Spider, targeted U.S. law firms and professional services organizations through sophisticated social engineering attacks. The group initiated contact via invoice-themed phishing emails, followed by phone calls impersonating corporate IT staff. They convinced employees to join remote support sessions, leading to the installation of remote monitoring tools like AnyDesk and Zoho Assist, granting attackers access to sensitive legal and financial documents. Data exfiltration was conducted using tools such as WinSCP and Rclone, with ransom demands issued within 30 minutes of the attackers' departure. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/silent-ransom-group-targets-law-firms-with-fake-it-support-calls/?utm_source=openai)) This incident underscores a concerning trend of cybercriminals employing direct social engineering tactics, including in-person impersonation, to infiltrate organizations. The rapid escalation from initial contact to data theft and extortion highlights the need for enhanced employee training and robust verification procedures to counter such evolving threats. ([techcrunch.com](https://techcrunch.com/2026/06/05/google-and-fbi-warn-of-ransomware-group-that-sends-fake-it-workers-to-hack-victims-in-person/?utm_source=openai))
2 weeks ago
Kill Chain
DriveSurge: Massive Website Compromise Leads to Widespread Malware Distribution
In June 2026, the DriveSurge operation was uncovered, revealing a sophisticated cybercriminal campaign that compromised thousands of legitimate websites to deliver malware through ClickFix and FakeUpdate attacks. Utilizing the zTDS traffic distribution system, attackers redirected unsuspecting visitors to malicious sites, leading to the installation of backdoors and other malware. This operation functioned as an initial access broker, selling system access to other threat actors for various malicious activities. The campaign targeted both Windows and macOS users and remained undetected for nearly a year, highlighting the evolving tactics of cybercriminals. The DriveSurge incident underscores the increasing complexity and scale of cyberattacks, emphasizing the need for organizations to enhance their cybersecurity measures. The use of trusted websites to distribute malware indicates a shift towards more deceptive and widespread attack vectors, making it imperative for businesses to implement robust security protocols and user education to mitigate such threats.
3 weeks ago
Kill Chain
Silent Ransom Group's In-Person Data Theft Tactics Target Law Firms
In May 2026, the FBI issued a warning about the Silent Ransom Group (SRG), a Russia-linked extortion gang targeting U.S. law firms. SRG employs sophisticated social engineering tactics, including impersonating IT support staff via phone calls and phishing emails to gain remote access. When these methods fail, they escalate to in-person visits, where operatives physically infiltrate offices, connect external storage devices to computers, and exfiltrate sensitive client data. This data is then used to extort firms, with threats to publish or sell the information if ransoms are not paid. ([techtimes.com](https://www.techtimes.com/articles/317293/20260527/silent-ransom-group-sends-operatives-law-firm-offices-38-firms-already-leaked.htm?utm_source=openai)) This incident underscores a concerning evolution in cybercriminal tactics, blending traditional cyber attacks with physical intrusion. The legal sector's sensitive data makes it a prime target, highlighting the urgent need for robust security protocols, employee training, and vigilance against both digital and physical social engineering threats.
4 weeks ago
Kill Chain
FBI Issues Warning on Silent Ransom Group's In-Person Data Theft Tactics
In May 2026, the FBI issued a warning about the Silent Ransom Group (SRG), a Russia-linked data extortion gang targeting U.S. law firms. SRG employs a combination of social engineering tactics, including phone calls and phishing emails, to impersonate IT support staff. If these remote attempts fail, the group escalates to in-person visits, where operatives physically access computers to steal sensitive data using external storage devices. This method has led to the compromise of over 100 law firms, with data from more than 38 firms publicly leaked. The group's focus on law firms is strategic, exploiting the highly sensitive nature of legal data to exert pressure for ransom payments. SRG's unique approach, combining remote social engineering with physical intrusion, underscores the evolving threat landscape and the need for robust security measures in the legal sector.
4 weeks ago
Kill Chain
FBI Issues Warning on Silent Ransom Group's In-Person Data Theft Tactics
In May 2026, the FBI issued a warning about the Silent Ransom Group (SRG), an extortion gang targeting U.S. law firms through sophisticated social engineering tactics. SRG actors impersonate IT support personnel via phone calls and phishing emails to gain remote access to victim computers. If these attempts fail, they escalate their efforts by sending individuals in person to the victim's location to physically access computers and exfiltrate sensitive data using external storage devices. The stolen data is then used to extort victims, with threats to sell or publicly disclose the information if ransom demands are not met. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/fbi-warns-of-silent-ransom-group-in-person-data-theft-attacks/?utm_source=openai)) This incident underscores a concerning evolution in cybercriminal tactics, blending traditional phishing with physical infiltration to bypass digital defenses. The legal sector, known for handling highly sensitive information, is particularly vulnerable to such targeted attacks. Organizations must enhance their security protocols, including employee training on social engineering, strict access controls, and monitoring for unauthorized physical access, to mitigate the risks posed by such multifaceted threats.
4 weeks ago
Kill Chain
Mesa County Election Data Breach: Lessons in Insider Threats
In 2021, Tina Peters, then the Mesa County Clerk in Colorado, facilitated unauthorized access to the county's voting systems, allowing sensitive election data to be copied and disseminated online. This breach was part of an effort to substantiate unfounded claims of election fraud in the 2020 presidential election. Peters was convicted in 2024 on multiple felony and misdemeanor counts, including attempt to influence a public servant and official misconduct, leading to a nine-year prison sentence. ([apnews.com](https://apnews.com/article/b456ce4f80dc97f4b967eb6297311a51?utm_source=openai)) The incident underscores the critical importance of safeguarding election infrastructure against insider threats. It highlights the potential for significant operational and reputational damage when trusted officials exploit their positions, emphasizing the need for stringent access controls and continuous monitoring within electoral systems.
1 month ago
Kill Chain
Extradition of Xu Zewei: Unveiling the HAFNIUM Cyber Espionage Campaign
In early 2021, the Chinese state-sponsored threat group HAFNIUM exploited zero-day vulnerabilities in Microsoft Exchange Server to infiltrate approximately 13,000 U.S. organizations. The attackers targeted sectors including infectious disease research, law firms, universities, defense contractors, and policy think tanks, aiming to steal sensitive data such as COVID-19 vaccine research. The campaign involved deploying web shells for persistent remote access and exfiltrating data to external servers. ([cyberscoop.com](https://cyberscoop.com/xu-zewei-extradited-china-national-silk-typhoon-hafnium/?utm_source=openai)) On April 27, 2026, the U.S. Department of Justice announced the extradition of Xu Zewei from Italy to the United States. Xu, allegedly operating under the direction of China's Ministry of State Security, was charged with multiple offenses related to the HAFNIUM campaign. This development underscores the ongoing international efforts to hold cybercriminals accountable and highlights the persistent threat posed by nation-state actors targeting critical sectors. ([cyberscoop.com](https://cyberscoop.com/xu-zewei-extradited-china-national-silk-typhoon-hafnium/?utm_source=openai))
1 month ago
Kill Chain
FBI's Forensic Extraction of Deleted Signal Messages from iPhone Notification Database
In April 2026, the FBI successfully extracted deleted Signal messages from a defendant's iPhone by accessing the device's push notification database. This extraction was possible because the iPhone stored copies of incoming Signal messages in its internal memory, even after the app was deleted. The case involved individuals accused of vandalizing property at the ICE Prairieland Detention Facility in Texas, marking the first time authorities charged individuals for alleged 'Antifa' activities following its designation as a terrorist organization. This incident underscores the potential for forensic tools to retrieve sensitive data from secure messaging apps through unexpected avenues, highlighting the importance of understanding how device settings and notification storage can impact data security. Users are advised to review and adjust their notification settings to prevent unintended data retention.
2 months ago
Kill Chain
Stop Active Cloud Data Exfiltration
Aviatrix Breach Lock helps teams instantly identify what data is leaving the environment, from which workload, and where it’s going — during an active breach.
Looking for threats in a different sector?
Browse All Threat Reports