The U.S. FBI has warned about ongoing social engineering attacks targeting U.S. law firms. A criminal extortion actor known as Luna Moth is mounting these dangerous campaigns. These attacks have been actively targeting these legal firms for the past two years. The campaign leverages information technology themed social engineering calls and also callback phishing emails. Their primary goal is to gain remote access to systems or various employee devices. They then steal sensitive data from these systems to extort the unfortunate victims. Luna Moth also called Silent Ransom Group (SRG) has been active since at least 2022. This group was previously behind BazarCall campaigns which deployed ransomware like Conti and Ryuk.
Luna Moth primarily employs a tactic called callback phishing or telephone-oriented attack delivery.
Unsuspecting users receive benign-looking phishing emails related to invoices or online subscription payments. Email recipients are instructed to call a customer support number to cancel their subscription. During the subsequent phone conversation the victim is then emailed a specific web link. They are then guided to install a remote access program onto their computer system. This action gives the threat actors unauthorized remote access directly to the victim’s systems. With this access attackers exfiltrate sensitive information and then send an extortion note. As of March 2025 Luna Moth actors have significantly shifted their attack tactics. They now directly call individuals of interest while posing as company IT department employees.
Employees are then directed to join a remote access session via email or webpage.
Once the employee grants remote access to their device attackers often work overnight. The threat actors then proceed to escalate their privileges on the compromised system. They often leverage legitimate tools like Rclone or WinSCP to facilitate data exfiltration. The use of genuine system management or remote access tools makes detection very hard. Tools like Zoho Assist Syncro AnyDesk or Atera are unlikely to be flagged.
If the compromised device does not have administrative privileges WinSCP portable is then used. This recent tactic has been observed as highly effective resulting in multiple compromises. After stealing data SRG extorts victims via ransom emails threatening to leak information. They also call employees of breached organizations to pressure them into ransom negotiations.
An EclecticIQ report detailed Luna Moth’s high-tempo callback phishing campaigns targeting U.S. firms. These attacks specifically focus on the U.S. legal and also the financial sectors. Attackers register domains that spoof the targeted organizations’ IT helpdesk and support portals. Victims are then tricked into installing remote monitoring and management (RMM) software.
This RMM tool gives attackers full hands-on keyboard access to compromised devices. The FBI advises using robust passwords and enabling two-factor authentication for all employees. Regular data backups and staff training on detecting phishing attempts are also crucial. Defenders should look for WinSCP or Rclone connections made to any external IP addresses. SRG ransom demands typically range between one and also eight million U.S. dollars. The group doesn’t encrypt systems but threatens data leaks which they don’t always do.
Reference:
