A sophisticated cybercrime campaign led by the threat actor group Luna Moth is actively targeting legal and financial institutions in the United States. The campaign uses callback phishing, legitimate IT tools, and data extortion tactics to steal sensitive information and demand multimillion-dollar ransoms.
According to new research by EclecticIQ, Luna Moth (also tracked as Silent Ransom Group, UNC3753, and Storm-0252) is behind a wave of high-volume phishing campaigns that rely not on malware but on social engineering, fake helpdesk sites, and commercially available remote monitoring and management (RMM) software to compromise their victims.
Callback Phishing: The New Playbook
The attacks typically begin with phishing emails masquerading as IT alerts, urging recipients to call a spoofed support number. Once connected, live operators impersonating IT personnel convince victims to install remote access tools like Zoho Assist or AnyDesk under the guise of resolving a fictitious technical issue.
These operations—sometimes referred to as Telephone-Oriented Attack Delivery (TOAD)—are made more convincing by typosquatting domains such as “[company]-helpdesk.com,” many of which were registered through GoDaddy. EclecticIQ identified at least 37 such domains as part of Luna Moth’s infrastructure.
One example includes a phishing site posing as the “Kobrekim Helpdesk,” which uses a contact form to harvest personal information and assess whether the visitor has elevated access within their organization.
Abuse of Trusted Platforms
Luna Moth’s infrastructure leverages GoDaddy’s ecosystem in a host of ways. Victims who submit information on phishing sites might receive confirmation emails from “[email protected],” which helps these fraudulent messages evade traditional email filters.
Further complicating detection efforts, Luna Moth has begun embedding AI-powered chatbots via Reamaze—a live customer support platform also owned by GoDaddy—directly into phishing pages. This lets attackers simulate genuine IT interactions, which makes victims more likely to trust, which speeds up the attack’s progression.
Legitimate Tools, Illegitimate Use
Instead of traditional malware, Luna Moth operators use enterprise-approved tools to move laterally and exfiltrate data. Common utilities include:
- WinSCP: Used to stealthily move files over encrypted SSH channels.
- Rclone: Deployed to sync large data volumes to cloud storage services under the malefactors’ control.
This low-noise approach allows bad actors to blend in with normal IT operations and avoid triggering malware-based defenses. Once the data is stolen, victims are threatened with exposure on Luna Moth’s clearweb data leak site, business-data-leaks[.]com, unless they pony up ransoms that reportedly range from $1 million to an eye-watering $8 million.
Targeting High-Trust Industries
Between April 2024 and 2025, nearly 40% of known Luna Moth victims were from the legal sector, followed by financial services (23.6%) and accounting (13.9%). These industries manage sensitive client data and handle privileged access—making them attractive targets for data theft and extortion.
Most victims by far are based in the US, with a scattering of incidents in Canada, France, and Germany. This makes sense, as Luna Moth uses lures impersonating prominent American entities.
Hard to Detect, Harder to Stop
Luna Moth is particularly insidious as it can evade traditional security measures. Its campaigns contain no malicious attachments or URLs in initial phishing emails; voice-based interactions, which go undetected by most email and endpoint security solutions; and signed, legitimate software that is installed by the victims.
EclecticIQ advises companies to implement several measures:
- Restrict the use of RMM tools: Block installations of remote access software unless explicitly authorized.
- Enhance behavioral monitoring: Track usage patterns of tools like WinSCP and Rclone to detect anomalies.
- Flag spoofed domains: Set up email rules to catch messages from typosquatted helpdesk URLs.
- Educate employees: Provide ongoing training to recognize and report social engineering attempts.
- Leverage threat intelligence: Monitor and block infrastructure associated with Luna Moth’s campaigns.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.