The cybercriminal group Luna Moth, also known as Silent Ransom Group, has intensified its callback phishing campaigns targeting U.S. legal, financial, and accounting firms. Posing as IT help desks, the threat actors deceive victims into installing remote access tools, leading to data theft and extortion demands ranging from $1 million to $8 million1. This article examines their tactics, victimology, and defensive measures.
Executive Summary for Security Leaders
Luna Moth (tracked as UNC3753 and Storm-0252) is a financially motivated group linked to former Conti ransomware operators. Since March 2025, they have refined callback phishing techniques using typosquatted domains and AI-powered chatbots to impersonate IT support2. The group primarily targets sensitive data in legal (40%), financial (24%), and accounting (14%) sectors, with 64 confirmed U.S. victims as of May 20251.
- Tactics: Callback phishing, RMM tool abuse (AnyDesk/Zoho Assist), WinSCP/Rclone data exfiltration
- Infrastructure: Uses GoDaddy-registered domains (e.g., [company]-helpdesk.com) and Reamaze chatbots
- Demands: $1M–$8M ransoms via business-data-leaks[.]com DLS
- IOCs: IPs 185.228.234.231, 81.200.148.140; domains cisohelpdesk[.]com, scotiabank-help[.]com
Technical Attack Breakdown
The attack chain begins with phishing emails directing recipients to call fraudulent helpdesk numbers. Live operators then guide victims through installing remote monitoring tools under the guise of resolving fictitious IT issues. EclecticIQ researchers observed the use of typosquatted domains registered through GoDaddy, often mimicking legitimate company help portals1.
Once access is established, attackers deploy WinSCP with silent flags (/silent) or Rclone with custom configurations (–config) to exfiltrate data from cloud storage (SharePoint, AWS S3) and network shares. The group maintains a clearweb Dedicated Leak Site (DLS) at business-data-leaks[.]com to pressure victims with data exposure threats2.
| MITRE ATT&CK Phase | Technique | Implementation |
|---|---|---|
| Initial Access | Spearphishing (T1566) | Fake IT support emails with callback numbers |
| Execution | Command-Line Interface (T1059) | Silent installation of RMM tools |
| Exfiltration | Automated Exfiltration (T1020) | WinSCP/Rclone data transfers |
Defensive Recommendations
Organizations should implement application control policies to block unauthorized RMM tools in non-approved contexts. Network monitoring for WinSCP’s silent mode or Rclone config transfers can detect exfiltration attempts. Employee training must emphasize verification of unsolicited IT support requests, particularly those requesting remote access1.
For detection engineering, security teams should monitor for process creation events involving:
WinSCP.com /silent
Rclone.exe –config [non-standard path]
EclecticIQ recommends reviewing firewall rules for connections to 185.228.234.231 and 81.200.148.140, which Luna Moth has used for C2 communications1.
Conclusion
The Luna Moth campaign demonstrates the continued evolution of social engineering tactics in cyber extortion schemes. By combining callback phishing with legitimate IT tools, the group bypasses traditional email security controls. Organizations in targeted sectors should prioritize employee awareness and implement technical controls to detect RMM tool abuse and suspicious data transfers.
References
- “Luna Moth abuses Reamaze helpdesk platform in callback phishing campaigns,” EclecticIQ, May 2025.
- “Luna Moth extortion hackers pose as IT help desks to breach US firms,” BleepingComputer, May 2025.
- “Luna Moth hackers use fake helpdesk domains,” GBHackers, May 2025.
