FBI Alerts Law Firms to Luna Moth’s Stealth Phishing Campaign

May 27, 2025Ravie LakshmananData Breach / Social Engineering

The U.S. Federal Bureau of Investigation (FBI) has warned of social engineering attacks mounted by a criminal extortion actor known as Luna Moth targeting law firms over the past two years.

The campaign leverages “information technology (IT) themed social engineering calls, and callback phishing emails, to gain remote access to systems or devices and steal sensitive data to extort the victims,” the FBI said in an advisory.

Luna Moth, also called Chatty Spider, Silent Ransom Group (SRG), Storm-0252, and UNC3753, is known to be active since at least 2022, primarily employing a tactic called callback phishing or telephone-oriented attack delivery (TOAD) to trick unsuspecting users into calling phone numbers listed in benign-looking phishing emails related to invoices and subscription payments.

It’s worth mentioning here that Luna Moth refers to the same hacking crew that previously carried out BazarCall (aka BazaCall) campaigns to deploy ransomware like Conti. The threat actors came into their own following the shutdown of the Conti syndicate.

Specifically, email recipients are instructed to call a customer support number to cancel their premium subscription within 24 hours to avoid incurring a payment. Over the course of the phone conversation, the victim is emailed a link and guided to install a remote access program, giving the threat actors unauthorized access to their systems.

Armed with the access, the attackers proceed to exfiltrate sensitive information and send an extortion note to the victim, demanding payment to avoid getting their stolen data published on a leaked site or sold to other cybercriminals.

The FBI said the Luna Moth actors have shifted their tactics as of March 2025 by calling individuals of interest and posing as employees from their company’s IT department.

“SRG will then direct the employee to join a remote access session, either through an email sent to them, or navigating to a web page,” the agency noted. “Once the employee grants access to their device, they are told that work needs to be done overnight.”

The threat actors, after obtaining access to the victim’s device, have been found to escalate privileges and leverage legitimate tools like Rclone or WinSCP to facilitate data exfiltration.

The use of genuine system management or remote access tools such as Zoho Assist, Syncro, AnyDesk, Splashtop, or Atera to carry out the attacks means they are unlikely to be flagged by security tools installed on the systems.

“If the compromised device does not have administrative privileges, WinSCP portable is used to exfiltrate victim data,” the FBI added. “Although this tactic has only been observed recently, it has been highly effective and resulted in multiple compromises.”

Defenders are urged to be on the lookout for WinSCP or Rclone connections made to external IP addresses, emails or voicemails from an unnamed group claiming data was stolen, emails regarding subscription services providing a phone number and requiring a call to

remove pending renewal charges, and unsolicited phone calls from individuals claiming to work in their IT departments.

The disclosure follows a report from EclecticIQ detailing Luna Moth’s “high-tempo” callback phishing campaigns targeting U.S. legal and financial sectors using Reamaze Helpdesk and other remote desktop software.

According to the Dutch cybersecurity company, at least 37 domains were registered by the threat actor via GoDaddy in March, most of which spoofed the targeted organizations’ IT helpdesk and support portals.

“Luna Moth is primarily using helpdesk-themed domains, typically beginning with the name of the business being targeted, e.g., vorys-helpdesk[.]com,” Silent Push said in a series of posts on X. “The actors are using a relatively small range of registrars. The actors appear to use a limited range of nameserver providers, with domaincontrol[.]com being the most common.”

Upgrade your audio game with the Logitech for Creators Blue Yeti USB Microphone. With over 33,730 ratings and an impressive 4.6 out of 5 stars, it’s no wonder this is an Amazon’s Choice product. Recently, 5K+ units were purchased in the past month.

Available in five stunning colors: Teal, Silver, Pink Dawn, Midnight Blue, and Blackout, this microphone is perfect for creators looking to produce exceptional audio. Priced at only $84.99, it’s a deal you can’t afford to miss.

Elevate your recordings with clear broadcast-quality sound and explore your creativity with enhanced effects, advanced modulation, and HD audio samples. Order now for just $84.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!