The U.S. Federal Bureau of Investigation (FBI) has issued a warning about social engineering attacks conducted by a criminal extortion group known as Luna Moth targeting law firms for the past two years.
The campaign utilizes IT-themed social engineering calls and callback phishing emails to gain unauthorized access to systems, steal sensitive data, and extort victims, as per an advisory from the FBI.
Luna Moth, also known by aliases such as Chatty Spider, Silent Ransom Group (SRG), Storm-0252, and UNC3753, has been active since at least 2022, using callback phishing tactics to deceive users into calling phone numbers listed in phishing emails related to invoices and subscriptions.
It’s important to note that Luna Moth is associated with the same group that conducted BazarCall campaigns to deploy ransomware like Conti. The threat actors have adapted their tactics following the Conti syndicate’s closure.
Email recipients are instructed to call a customer support number within 24 hours to cancel a premium subscription and avoid a payment. During the call, victims receive a link via email and are guided to install remote access software, granting unauthorized access to their systems.
With access to the victim’s device, the attackers proceed to steal sensitive information and demand payment to prevent the publication or sale of the stolen data to other cybercriminals.
The FBI revealed that Luna Moth actors have modified their tactics as of March 2025 by posing as employees from a company’s IT department and directing employees to join a remote access session to perform “overnight work.”
After gaining access to the victim’s device, the threat actors escalate privileges and use legitimate tools like Rclone or WinSCP for data exfiltration, making it difficult for security tools to detect the attacks.
Defenders are advised to watch for WinSCP or Rclone connections to external IP addresses, emails or voicemails claiming data theft, and unsolicited calls from fake IT department employees.
Avoid pending charges, suspicious emails, and phone calls from fake IT support staff to protect against these attacks.
The FBI’s warning comes after a report from EclecticIQ highlighting Luna Moth’s callback phishing campaigns targeting legal and financial sectors in the U.S. using remote desktop software like Reamaze Helpdesk.
According to EclecticIQ, Luna Moth registered at least 37 domains via GoDaddy in March, most of which spoofed IT helpdesk portals of targeted organizations.
“Luna Moth is primarily using helpdesk-themed domains, typically starting with the name of the targeted business, e.g., vorys-helpdesk[.]com,” as mentioned by Silent Push in posts on X. “The actors are using a limited range of registrars and nameserver providers, with domaincontrol[.]com being the most common.”
