Hackers Are Calling Your Office: FBI Alerts Law Firms to Luna Moth’s Stealth Phishing Campaign

The U.S. Federal Bureau of Investigation (FBI) has warned of social engineering attacks mounted by a criminal extortion actor known as Luna Moth targeting law firms over the past two years.

The campaign leverages “information technology (IT) themed social engineering calls, and callback phishing emails, to gain remote access to systems or devices and steal sensitive data to extort the victims,” the FBI said in an advisory.

Luna Moth, also called Chatty Spider, Silent Ransom Group (SRG), Storm-0252, and UNC3753, is known to be active since at least 2022, primarily employing a tactic called callback phishing or telephone-oriented attack delivery (TOAD) to trick unsuspecting users into calling phone numbers listed in benign-looking phishing emails related to invoices and subscription payments.

✔ Approved Seller From Our Partners

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount

It’s worth mentioning here that Luna Moth refers to the same hacking crew that previously carried out BazarCall (aka BazaCall) campaigns to deploy ransomware like Conti. The threat actors came into their own following the shutdown of the Conti syndicate.

Specifically, email recipients are instructed to call a customer support number to cancel their premium subscription within 24 hours to avoid incurring a payment. Over the course of the phone conversation, the victim is emailed a link and guided to install a remote access program, giving the threat actors unauthorized access to their systems.

Armed with the access, the attackers proceed to exfiltrate sensitive information and send an extortion note to the victim, demanding payment to avoid getting their stolen data published on a leaked site or sold to other cybercriminals.

The FBI said the Luna Moth actors have shifted their tactics as of March 2025 by calling individuals of interest and posing as employees from their company’s IT department.

“SRG will then direct the employee to join a remote access session, either through an email sent to them, or navigating to a web page,” the agency noted. “Once the employee grants access to their device, they are told that work needs to be done overnight.”

The threat actors, after obtaining access to the victim’s device, have been found to escalate privileges and leverage legitimate tools like Rclone or WinSCP to facilitate data exfiltration.

The use of genuine system management or remote access tools such as Zoho Assist, Syncro, AnyDesk, Splashtop, or Atera to carry out the attacks means they are unlikely to be flagged by security tools installed on the systems.

“If the compromised device does not have administrative privileges, WinSCP portable is used to exfiltrate victim data,” the FBI added. “Although this tactic has only been observed recently, it has been highly effective and resulted in multiple compromises.”

Defenders are urged to be on the lookout for WinSCP or Rclone connections made to external IP addresses, emails or voicemails from an unnamed group claiming data was stolen, emails regarding subscription services providing a phone number and requiring a call to

remove pending renewal charges, and unsolicited phone calls from individuals claiming to work in their IT departments.

The disclosure follows a report from EclecticIQ detailing Luna Moth’s “high-tempo” callback phishing campaigns targeting U.S. legal and financial sectors using Reamaze Helpdesk and other remote desktop software.

According to the Dutch cybersecurity company, at least 37 domains were registered by the threat actor via GoDaddy in March, most of which spoofed the targeted organizations’ IT helpdesk and support portals.

“Luna Moth is primarily using helpdesk-themed domains, typically beginning with the name of the business being targeted, e.g., vorys-helpdesk[.]com,” Silent Push said in a series of posts on X. “The actors are using a relatively small range of registrars. The actors appear to use a limited range of nameserver providers, with domaincontrol[.]com being the most common.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.