SRG’s infrastructure is linked to a fast-flux DNS network with historical ties to other cybercrime ecosystems like CVV Union and Omerta, complicating disruption efforts.

SRG, also known as Luna Moth, Chatty Spider, and UNC3753, operates since 2022 with a data-theft and extortion focus rather than encrypting targets, increasingly targeting top AmLaw 100 law firms along with healthcare, hospitality, finance, and insurance sectors.

The group uses social engineering, in-person intrusions, and data exfiltration to apply pressure, rather than traditional ransomware that relies on file encryption.

A botnet of compromised IoT devices and customer premise equipment coordinates SRG’s fast-flux network, creating a resilient channel for data theft and extortion.

To avoid indexing of their Data Leak Site, SRG employs Cross-Site Request Forgery tokens, signaling deliberate anti-indexing measures.

The group maintains a global footprint and has evolved to use fast-flux DNS botnets, enhancing the stealth and reach of its data-leak extortion operations.

In May 2026, new underground projects surfaced, notably Spy Corporate, suggesting expanded activity and potential overlap with SRG’s infrastructure.

Spy Corporate (spycorp.pro) appears linked through shared infrastructure tokens and IPs with SRG’s fast-flux network, indicating a direct connection.

U.S. and allied authorities warn that fast-flux infrastructure poses national security risks and advocate for cross-agency collaboration to disrupt these networks.

About half to sixty percent of SRG’s bot pool is shared across the two SRG domains, with at least 24 compromised hosts sustaining the infrastructure.

A technical report notes SRG’s aim to hit large victims, including major law firms, via compromised devices, fast-flux networks, and social engineering techniques.

SRG’s fast-flux nodes span regions including Latin America, Eastern Europe, Central Asia, the Middle East/Africa, East Asia, and the Caribbean, with multiple countries hosting infected devices.