Full Report
The U.S. Federal Bureau of Investigation (FBI) has warned of social engineering attacks mounted by a criminal extortion actor known as Luna Moth targeting law firms over the past two years. The campaign leverages "information technology (IT) themed social engineering calls, and callback phishing emails, to gain remote access to systems or devices and steal sensitive data to extort the victims,"
Analysis Summary
# Threat Actor: Luna Moth
## Attribution & Identity
**Threat Actor:** Luna Moth
**Aliases:** Chatty Spider, Silent Ransom Group (SRG), Storm-0252, UNC3753.
**Known Associations:** Previously carried out BazarCall (aka BazaCall) campaigns, which were used to deploy ransomware such as Conti. The group became more prominent following the shutdown of the Conti syndicate.
## Activity Summary
Luna Moth has been active since at least 2022, focusing on social engineering attacks, primarily targeting law firms over the past two years.
The group uses "information technology (IT) themed social engineering calls, and callback phishing emails" to gain remote access and steal sensitive data for extortion.
**Historical Campaign:** BazarCall (BazaCall) campaigns.
**Recent Shift (as of March 2025):** Actors are calling individuals posing as internal IT department employees to direct them to join remote access sessions.
**Extortion Method:** After exfiltrating data, they send an extortion demand, threatening to publish the stolen data or sell it to other cybercriminals.
## Tactics, Techniques & Procedures
- **Initial Access:** Telephone-Oriented Attack Delivery (TOAD), often masquerading as subscription cancellation issues (callback phishing) or internal IT support.
- **Delivery:** Victims are tricked into calling a listed customer support number in phishing emails related to invoices/subscriptions.
- **System Compromise:** Victims are guided during the call to install a remote access program.
- **Post-Exploitation:** Privilege escalation is performed.
- **Data Exfiltration:** Utilization of legitimate tools like Rclone or WinSCP (including the portable version) to transfer data to external IP addresses.
- **Evasion:** Heavy reliance on widely used, legitimate remote access tools (Zoho Assist, Syncro, AnyDesk, Splashtop, Atera) which are less likely to be flagged by standard security tools.
## Targeting
**Sectors:** Law firms, Legal sector, and Financial sectors (as detailed by EclecticIQ report).
**Geography:** Primarily targeting organizations in the U.S.
**Victims:** Law firms are specifically mentioned as recent targets in an FBI advisory.
## Tools & Infrastructure
**Malware Families Used:** Not explicitly detailed beyond the use of remote access programs installed by victims.
**Legitimate Tools Leveraged:** Rclone, WinSCP (including portable), Zoho Assist, Syncro, AnyDesk, Splashtop, Atera.
**Infrastructure:** Recently registered domains via GoDaddy, often spoofing targeted organizations' IT helpdesk portals (e.g., `vorys-helpdesk[.]com`). They use a limited range of name server providers, commonly `domaincontrol[.]com`.
## Implications
Luna Moth represents a persistent, financially motivated cybercriminal group that has successfully pivoted from ransomware delivery (via BazarCall) to direct data extortion leveraging highly effective social engineering (TOAD/callback phishing). Their current reliance on legitimate remote access tools poses a significant challenge for signature-based security detection systems.
## Mitigations
- Be vigilant for unsolicited phone calls claiming to be from internal IT departments.
- Scrutinize emails or voicemails concerning data theft claims or subscription service refunds/cancellations that direct users to call a specific phone number.
- Monitor network connections for WinSCP or Rclone activity communicating with external IP addresses.
- Educate staff on validating the legitimacy of remote access requests and verifying the identity of individuals claiming to be IT support.