Luna Moth Phishing Attack

The U.S. Federal Bureau of Investigation (FBI) has issued a warning about social engineering attacks launched by a group called Luna Moth. This criminal extortion actor has been targeting law firms for the past two years, using a blend of phishing emails and phone-based social engineering to steal sensitive data and demand payment.

How They Operate: The Callback Phishing Playbook

Luna Moth, also known as Chatty Spider, Silent Ransom Group (SRG), Storm-0252, and UNC3753, has been active since at least 2022. It primarily relies on a tactic called callback phishing or telephone-oriented attack delivery (TOAD). Its phishing emails, which look harmless and revolve around invoices and subscriptions, trick recipients into calling a phone number to 'cancel' a payment or subscription.

During these calls, the attackers guide the victim to install a remote access program, gaining unauthorized access to their systems. With control of these devices, the threat actors collect sensitive information and follow up with extortion demands to prevent the data from being leaked or sold to other cybercriminals.

From BazarCall to IT Impersonation

This is the same crew behind previous BazarCall campaigns that spread ransomware like Conti. Since Conti's shutdown, Luna Moth has intensified their efforts. Notably, as of March 2025, they've evolved their strategy by calling targeted individuals directly, posing as IT department employees. This approach manipulates employees into joining a remote access session, often under the guise of performing overnight maintenance.

Tools of the Trade: Blending in with Legitimate Software

Once access is granted, Luna Moth escalates privileges and uses legitimate tools to exfiltrate data:

• Rclone
• WinSCP
• Zoho Assist
• Syncro
• AnyDesk
• Splashtop
• Atera

Because these are genuine system management and remote access tools, they often evade detection by security tools. If the compromised device lacks admin privileges, WinSCP portable is used to sneak out the stolen data. Despite being a recent tactic, it has proven remarkably effective, leading to multiple successful compromises.

Signs of Trouble: Indicators of a Luna Moth Attack

Cybersecurity operatives should watch for certain red flags:

• Unexpected emails or voicemails from an unnamed group claiming data theft.
• Emails regarding subscription renewals that require a phone call to avoid charges.
• Unsolicited phone calls from supposed IT staff urging remote access to your device.
• Suspicious connections made via WinSCP or Rclone to external IP addresses.

High-Tempo Attacks and Helpdesk Spoofing

Research shows Luna Moth's 'high-tempo' callback phishing campaigns focus on the legal and financial sectors of the U.S. They're using platforms like Reamaze Helpdesk and other remote desktop software. In March 2025 alone, Luna Moth registered at least 37 domains through GoDaddy. Most of these domains spoof targeted organizations' IT helpdesks and support portals.

These helpdesk-themed domains typically start with the name of the targeted business. The attackers rely on a small number of registrars and nameserver providers, with domaincontrol.com being the most common.

Stay Alert!

Luna Moth's campaigns highlight the critical need for vigilance. By blending fundamental tools with social engineering and domain spoofing, they bypass many defenses and put sensitive data at risk. Recognizing their tactics is the first step in staying protected.