• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
hackers are calling your office: fbi alerts law firms to

Hackers Are Calling Your Office: FBI Alerts Law Firms to Luna Moth’s Stealth Phishing Campaign

You are here: Home / General Cyber Security News / Hackers Are Calling Your Office: FBI Alerts Law Firms to Luna Moth’s Stealth Phishing Campaign
May 27, 2025

The U.S. Federal Bureau of Investigation (FBI) has warned of social engineering attacks mounted by a criminal extortion actor known as Luna Moth targeting law firms over the past two years.

The campaign leverages “information technology (IT) themed social engineering calls, and callback phishing emails, to gain remote access to systems or devices and steal sensitive data to extort the victims,” the FBI said in an advisory.

Luna Moth, also called Chatty Spider, Silent Ransom Group (SRG), Storm-0252, and UNC3753, is known to be active since at least 2022, primarily employing a tactic called callback phishing or telephone-oriented attack delivery (TOAD) to trick unsuspecting users into calling phone numbers listed in benign-looking phishing emails related to invoices and subscription payments.

✔ Approved From Our Partners
AOMEI Backupper Lifetime

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


Cybersecurity

It’s worth mentioning here that Luna Moth refers to the same hacking crew that previously carried out BazarCall (aka BazaCall) campaigns to deploy ransomware like Conti. The threat actors came into their own following the shutdown of the Conti syndicate.

Specifically, email recipients are instructed to call a customer support number to cancel their premium subscription within 24 hours to avoid incurring a payment. Over the course of the phone conversation, the victim is emailed a link and guided to install a remote access program, giving the threat actors unauthorized access to their systems.

Armed with the access, the attackers proceed to exfiltrate sensitive information and send an extortion note to the victim, demanding payment to avoid getting their stolen data published on a leaked site or sold to other cybercriminals.

The FBI said the Luna Moth actors have shifted their tactics as of March 2025 by calling individuals of interest and posing as employees from their company’s IT department.

“SRG will then direct the employee to join a remote access session, either through an email sent to them, or navigating to a web page,” the agency noted. “Once the employee grants access to their device, they are told that work needs to be done overnight.”

The threat actors, after obtaining access to the victim’s device, have been found to escalate privileges and leverage legitimate tools like Rclone or WinSCP to facilitate data exfiltration.

The use of genuine system management or remote access tools such as Zoho Assist, Syncro, AnyDesk, Splashtop, or Atera to carry out the attacks means they are unlikely to be flagged by security tools installed on the systems.

“If the compromised device does not have administrative privileges, WinSCP portable is used to exfiltrate victim data,” the FBI added. “Although this tactic has only been observed recently, it has been highly effective and resulted in multiple compromises.”

Defenders are urged to be on the lookout for WinSCP or Rclone connections made to external IP addresses, emails or voicemails from an unnamed group claiming data was stolen, emails regarding subscription services providing a phone number and requiring a call to

Cybersecurity

remove pending renewal charges, and unsolicited phone calls from individuals claiming to work in their IT departments.

The disclosure follows a report from EclecticIQ detailing Luna Moth’s “high-tempo” callback phishing campaigns targeting U.S. legal and financial sectors using Reamaze Helpdesk and other remote desktop software.

According to the Dutch cybersecurity company, at least 37 domains were registered by the threat actor via GoDaddy in March, most of which spoofed the targeted organizations’ IT helpdesk and support portals.

“Luna Moth is primarily using helpdesk-themed domains, typically beginning with the name of the business being targeted, e.g., vorys-helpdesk[.]com,” Silent Push said in a series of posts on X. “The actors are using a relatively small range of registrars. The actors appear to use a limited range of nameserver providers, with domaincontrol[.]com being the most common.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.


Some parts of this article are sourced from:
thehackernews.com

Previous Post: «russia linked hackers target tajikistan government with weaponized word documents Russia-Linked Hackers Target Tajikistan Government with Weaponized Word Documents
Next Post: Employees Searching Payroll Portals on Google Tricked Into Sending Paychecks to Hackers employees searching payroll portals on google tricked into sending paychecks»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • Qilin Ransomware Adds “Call Lawyer” Feature to Pressure Victims for Larger Ransoms
  • Iran’s State TV Hijacked Mid-Broadcast Amid Geopolitical Tensions; $90M Stolen in Crypto Heist
  • 6 Steps to 24/7 In-House SOC Success
  • Massive 7.3 Tbps DDoS Attack Delivers 37.4 TB in 45 Seconds, Targeting Hosting Provider
  • 67 Trojanized GitHub Repositories Found in Campaign Targeting Gamers and Developers
  • New Android Malware Surge Hits Devices via Overlays, Virtualization Fraud and NFC Theft
  • BlueNoroff Deepfake Zoom Scam Hits Crypto Employee with MacOS Backdoor Malware
  • Secure Vibe Coding: The Complete New Guide
  • Uncover LOTS Attacks Hiding in Trusted Tools — Learn How in This Free Expert Session
  • Russian APT29 Exploits Gmail App Passwords to Bypass 2FA in Targeted Phishing Campaign

Copyright © TheCyberSecurity.News, All Rights Reserved.