The U.S. Federal Bureau of Investigation (FBI) has warned of social engineering assaults mounted by a legal extortion actor often called Luna Moth focusing on regulation corporations over the previous two years.
The marketing campaign leverages “info expertise (IT) themed social engineering calls, and callback phishing emails, to achieve distant entry to methods or gadgets and steal delicate information to extort the victims,” the FBI stated in an advisory.
Luna Moth, additionally known as Chatty Spider, Silent Ransom Group (SRG), Storm-0252, and UNC3753, is thought to be lively since no less than 2022, primarily using a tactic known as callback phishing or telephone-oriented assault supply (TOAD) to trick unsuspecting customers into calling telephone numbers listed in benign-looking phishing emails associated to invoices and subscription funds.
It is value mentioning right here that Luna Moth refers back to the identical hacking crew that beforehand carried out BazarCall (aka BazaCall) campaigns to deploy ransomware like Conti. The risk actors got here into their very own following the shutdown of the Conti syndicate.
Particularly, electronic mail recipients are instructed to name a buyer help quantity to cancel their premium subscription inside 24 hours to keep away from incurring a cost. Over the course of the telephone dialog, the sufferer is emailed a hyperlink and guided to put in a distant entry program, giving the risk actors unauthorized entry to their methods.
Armed with the entry, the attackers proceed to exfiltrate delicate info and ship an extortion notice to the sufferer, demanding cost to keep away from getting their stolen information printed on a leaked website or offered to different cybercriminals.
The FBI stated the Luna Moth actors have shifted their ways as of March 2025 by calling people of curiosity and posing as workers from their firm’s IT division.
“SRG will then direct the worker to affix a distant entry session, both via an electronic mail despatched to them, or navigating to an internet web page,” the company famous. “As soon as the worker grants entry to their gadget, they’re informed that work must be carried out in a single day.”
The risk actors, after acquiring entry to the sufferer’s gadget, have been discovered to escalate privileges and leverage respectable instruments like Rclone or WinSCP to facilitate information exfiltration.
Using real system administration or distant entry instruments reminiscent of Zoho Help, Syncro, AnyDesk, Splashtop, or Atera to hold out the assaults means they’re unlikely to be flagged by security instruments put in on the methods.
“If the compromised gadget doesn’t have administrative privileges, WinSCP transportable is used to exfiltrate sufferer information,” the FBI added. “Though this tactic has solely been noticed just lately, it has been extremely efficient and resulted in a number of compromises.”
Defenders are urged to be looking out for WinSCP or Rclone connections made to exterior IP addresses, emails or voicemails from an unnamed group claiming information was stolen, emails relating to subscription providers offering a telephone quantity and requiring a name to
take away pending renewal expenses, and unsolicited telephone calls from people claiming to work of their IT departments.
The disclosure follows a report from EclecticIQ detailing Luna Moth’s “high-tempo” callback phishing campaigns focusing on U.S. authorized and monetary sectors utilizing Reamaze Helpdesk and different distant desktop software program.
Based on the Dutch cybersecurity firm, no less than 37 domains have been registered by the risk actor through GoDaddy in March, most of which spoofed the focused organizations’ IT helpdesk and help portals.
“Luna Moth is primarily utilizing helpdesk-themed domains, usually starting with the title of the enterprise being focused, e.g., vorys-helpdesk[.]com,” Silent Push stated in a collection of posts on X. “The actors are utilizing a comparatively small vary of registrars. The actors seem to make use of a restricted vary of nameserver suppliers, with domaincontrol[.]com being the commonest.”
