The group's tactical evolution continues to accelerate. By March 2025, the FBI observed a shift from callback phishing to direct vishing calls. By April 2025, attackers began physically visiting office locations to insert storage devices for data theft. The attacks rely entirely on social engineering and legitimate remote access solutions, deploying no malware, which makes detection through conventional security tools difficult.
Law firms face a structural vulnerability: their holdings of highly sensitive client data make them economically attractive targets, and their reluctance to resist ransom demands—driven by fear of client exposure—reinforces the incentive to attack. Attorneys should assume their firms are targets and audit employee protocols for vishing calls, particularly requests to install remote access software or disable security tools. The group's demonstrated ability to compromise major firms, combined with tactics that evade signature-based detection, means standard cybersecurity measures alone are insufficient.