Ddos 
A new threat intelligence report from EclecticIQ unveils the evolving tradecraft of Luna Moth, a financially motivated threat actor operating under aliases such as Silent Ransom Group, UNC3753, and Storm-0252. Since March 2025, Luna Moth has intensified its callback phishing campaigns targeting U.S. legal, financial, and accounting firms, using legitimate tools, real-time social engineering, and zero malware to breach high-trust institutions and extort multi-million-dollar ransoms.
“Luna Moth is very likely conducting high-tempo callback phishing campaigns targeting legal and financial organizations based in the United States,” the report states.
Unlike traditional phishing that drops malware via attachments or links, Luna Moth’s campaign begins with benign-looking emails urging recipients to call fake helpdesk numbers. Once connected, live operators—posing as IT staff—walk the victim through installing legitimate remote monitoring and management (RMM) tools.
The group leverages typosquatted domains—like kobrekim-helpdesk[.]com or ciso-helpdesk[.]com—registered via GoDaddy, many of which impersonate U.S. law firms or CISO departments to add authenticity and urgency.
EclecticIQ also observed Luna Moth weaponizing Reamaze, a live chat platform owned by GoDaddy, to embed AI-powered chatbots into phishing pages. These bots simulate helpdesk interactions to guide victims toward installing RMM tools, adding a layer of automation to their deception.
“These chatbots mimic legitimate IT helpdesk interactions, helping attackers engage victims in real time and accelerate the attack chain,” the report warns.
Once the victim installs an RMM tool, attackers gain hands-on-keyboard access—no malware required. Luna Moth uses popular, often-whitelisted tools like:
- AnyDesk
- TeamViewer
- ScreenConnect
- WinSCP (for stealthy file exfiltration)
- Rclone (to sync stolen data to actor-controlled cloud storage)
Between April 2024 and April 2025, Luna Moth targeted:
- Legal firms (40.28% of victims)
- Financial services (23.61%)
- Accounting and business services
- Real estate and tech companies
“Luna Moth lists victims on its clearweb Dedicated Leak Site (DLS)… and demands ransoms between $1 million and $8 million,” the report explains.
Notably, 64 confirmed U.S. organizations have been victimized, with minor spillover into Canada, France, and Germany. Their clearweb data leak site, business-data-leaks[.]com, hosts stolen files to pressure victims into paying.
EclecticIQ links Luna Moth to the operators behind the BazarCall campaign, which previously deployed Conti and Ryuk ransomware. After Conti’s collapse in 2022, the shift to data extortion without encryption is viewed as a lower-risk, revenue-sustaining strategy for these same actors.
Donate