The info-theft extortion group generally known as Luna Moth, aka Silent Ransom Group, has ramped up callback phishing campaigns in assaults on authorized and monetary establishments in the US.
In response to EclecticIQ researcher Arda Büyükkaya, the last word objective of those assaults is information theft and extortion.
Luna Moth, recognized internally as Silent Ransom Group, are menace actors who beforehand carried out BazarCall campaigns as a approach to acquire preliminary entry to company networks for Ryuk, and later, Conti ransomware assaults.
In March 2022, as Conti began to close down, the BazarCall menace actors separated from the Conti syndicate and shaped a new operation referred to as Silent Ransom Group (SRG).
Luna Moths’s newest assaults contain impersonating IT assist via electronic mail, pretend websites, and cellphone calls, and rely solely on social engineering and deception, with no ransomware deployment seen in any of the circumstances.
“As of March 2025, EclecticIQ assesses with excessive confidence that Luna Moth has probably registered a minimum of 37 domains via GoDaddy to assist its callback-phishing campaigns,” reads the EclecticIQ report.
“Most of those domains impersonate IT helpdesk or assist portals for main U.S. regulation companies and monetary providers companies, utilizing typosquatted patterns.”
Supply: EclecticIQ
The most recent exercise noticed by EclecticIQ begins in March 2025, focusing on U.S.-based organizations with malicious emails that comprise pretend helpdesk numbers recipients are urged to name to resolve non-existent issues.
A Luna Moth operator solutions the decision, impersonating IT employees, and convinces the sufferer to put in distant monitoring & administration (RMM) software program from pretend IT assist desk websites that offers the attackers distant entry to their machine.
The pretend assist desk websites make the most of domains that comply with naming patterns like [company_name]-helpdesk.com and [company_name]helpdesk.com.
Supply: EclecticIQ
Some instruments abused in these assaults are Syncro, SuperOps, Zoho Help, Atera, AnyDesk, and Splashtop. These are official, digitally signed instruments, in order that they’re unlikely to set off any warnings for the sufferer.
As soon as the RMM instrument is put in, the attacker has hands-on keyboard entry, permitting them to unfold to different gadgets and search native recordsdata and shared drives for delicate information.
Having situated beneficial recordsdata, they exfiltrate them to attacker-controlled infrastructure utilizing WinSCP (through SFTP) or Rclone (cloud syncing).
After the information is stolen, Luna Moth contacts the victimized group and threatens to leak it publicly on its clearweb area except they pay a ransom. The ransom quantity varies per sufferer, starting from one to eight million USD.
Supply: BleepingComputer
Büyükkaya feedback on the stealth of those assaults, noting that they contain no malware, malicious attachments, or hyperlinks to malware-ridden websites. The victims merely set up an RMM instrument themselves, pondering they’re receiving assist desk assist.
Because the enterprise generally makes use of these RMM instruments, they don’t seem to be flagged by safety software program as malicious and are allowed to run.
Indicators of compromise (IoCs), together with IP addresses and phishing domains that needs to be added to a blocklist, can be found on the backside of EclecticIQ’s report.
Aside from the domains, it is usually advisable to think about proscribing the execution of RMM instruments that aren’t utilized in a corporation’s surroundings.
Primarily based on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and the best way to defend towards them.
