Luna Moth: When Social Engineering Beats Malware

How ex-Conti operators are extorting millions without writing a single line of malicious code

Luna Moth: When Social Engineering Beats Malware

Introduction

Luna Moth, also tracked as Silent Ransom Group (SRG), Chatty Spider, UNC3753, and Storm-0252, represents something we don’t see often: a group that got better by doing less. These operators figured out that you don’t need zero-days, custom malware, or advanced persistence when you can just call someone and politely ask them to install the exact tools you need.

And before you think this is some low-tier operation, let me stop you there. Between April 2024 and April 2025, Luna Moth hit at least 64 confirmed U.S. organizations, with ransom demands ranging from $1 million to $8 million per victim. Their target list reads like a who’s who of industries that absolutely cannot afford data breaches: law firms (40% of victims), financial services (24%), and accounting firms (14%).

The kicker? No malware. No exploits. Just legitimate tools doing exactly what they’re designed to do, operated by someone who definitely shouldn’t have access to them.

Timeline: From Ransomware to Refined Extortion

Luna Moth didn’t just appear out of nowhere. They have lineage, and it’s exactly the pedigree you’d expect for operators this effective.

Pre-2022: The BazarCall Era

Before Luna Moth existed, these operators were running BazarCall campaigns for the Conti ransomware syndicate. If you were doing incident response in 2021, you probably dealt with their work. They’d send phishing emails with fake invoices, get victims to call in, and walk them through installing BazarLoader malware. That malware would then provide initial access for Ryuk and later Conti ransomware deployments.

The callback phishing technique was their signature move even then. It had a success rate that made traditional phishing look amateur by comparison.

March 2022: The Split

When Conti started its messy shutdown following Russia’s invasion of Ukraine and the subsequent leaks of internal communications, the BazarCall operators saw the writing on the wall. They broke away from the syndicate and formed Silent Ransom Group as an independent operation.

Smart move. Instead of following other Conti splinter groups into traditional ransomware, they pivoted to pure data extortion. No encryption, no file-locking headaches, no decryptors to maintain. Just steal data, threaten to leak it, collect payment.

2022-2023: Refining the Playbook

From March 2022 through early 2023, Luna Moth operated relatively under the radar, targeting organizations opportunistically across multiple sectors. They honed their social engineering scripts, built out their call center infrastructure, and started establishing their brand on the clearweb leak site business-data-leaks[.]com.

Spring 2023: Law Firm Focus Begins

Starting in spring 2023, Luna Moth shifted to consistently targeting U.S.-based law firms. The reasoning is obvious when you think about it: law firms hold extraordinarily sensitive client data, are bound by strict confidentiality requirements, and have deep-pocketed clients who would be very interested in knowing if their privileged communications were compromised.

A data breach for a law firm isn’t just an IT problem. It’s an ethical violation that can result in bar complaints, malpractice suits, and permanent loss of client trust.

March 2025: Tactical Evolution

In March 2025, Luna Moth changed their initial access vector. Instead of only relying on phishing emails with callback numbers, they started cold-calling employees directly, impersonating their own IT departments. This is ballsy. It requires significantly more infrastructure and operational security, but it cuts out the email security layer entirely.

They also began using AI-powered chatbots via Reamaze (a GoDaddy-owned platform) on their fake helpdesk sites. The chatbots handle initial victim interactions, making the operation more scalable while maintaining the appearance of legitimate IT support.

Present Day: High-Tempo Operations

As of late 2025, Luna Moth is conducting what researchers describe as “high-tempo” callback phishing campaigns. They’ve registered at least 37 typosquatted domains through GoDaddy to impersonate law firms and financial institutions. The FBI issued a formal warning about them in May 2025, and they continue to operate their clearweb leak site with apparent impunity.

They’re not slowing down. If anything, they’re scaling up.

Common TTPs: The LOLBAS Approach

Luna Moth’s entire operational model can be summed up in one principle: why build malware when you can just use the tools that are already there?

Initial Access: Social Engineering at Scale

Email-Based Callback Phishing

The classic approach involves phishing emails that look like subscription renewal notices. Fake charges for Zoho, Duolingo, MasterClass, or similar services, usually under $1,000 to avoid triggering immediate suspicion. The emails are clean. No malicious links, no attachments, no indicators that traditional email security would flag.

The email provides a phone number to “cancel” the subscription. When victims call, they reach a live operator at a Luna Moth-controlled call center.

Direct Phone Calls (Post-March 2025)

The newer tactic is even more direct. Luna Moth operators call employees claiming to be from their own IT department. They reference plausible technical issues like VPN problems, security updates, or suspicious login attempts. They create urgency without panic, striking that perfect balance that makes people comply.

Execution: Legitimate Tools Only

Once Luna Moth has a victim on the phone, the next phase is getting remote access. This is where the operation really shines from a DFIR evasion perspective.

Remote Monitoring and Management (RMM) Tools

Luna Moth walks victims through installing one or more legitimate RMM tools:

These tools are digitally signed. They’re used by legitimate IT departments every day. Antivirus products don’t flag them. EDR systems see them as business tools. Security teams might not even notice them being installed if the user has admin rights.

The operators often install multiple RMM tools for redundancy. If one session gets terminated, they have backup access.

Persistence (When Possible)

If the victim has administrative privileges on their machine, Luna Moth establishes persistence by properly installing an RMM tool that survives reboots. If the victim doesn’t have admin rights, they skip this step entirely and move straight to data exfiltration.

This adaptability is key. They don’t waste time trying to escalate privileges. They work with what they have.

Discovery and Collection

Luna Moth operators manually browse the victim’s system and connected network shares looking for high-value data:

They’re not running automated collection scripts. They’re doing this hands-on-keyboard, which makes it harder to detect but more targeted.

In some cases, they’ve deployed:

They are also not shy to peruse bookmarks and applications like SharePoint and Confluence if its present and login is possible.

Exfiltration: Clean and Encrypted

This is where forensics gets really limited. Luna Moth exfiltrates data using:

WinSCP (Windows Secure Copy)

A legitimate SFTP client. If the victim doesn’t have admin rights, they use WinSCP Portable, which doesn’t require installation and runs in the user’s security context. All data transfer happens over encrypted SSH channels (port 22), making it invisible to traditional DLP solutions looking at unencrypted traffic.

Rclone

An open-source cloud synchronization tool. Luna Moth uses Rclone to sync stolen data directly to cloud storage services they control. In some cases, they rename the Rclone binary to disguise its presence, but the tool itself is completely legitimate.

EclecticIQ analysis found that 61% of Luna Moth infrastructure links to S3 buckets named with patterns like clientdata-<victim>-backup.

Impact: Extortion Without Encryption

After exfiltration, Luna Moth sends ransom emails threatening to publish stolen data on their clearweb leak site. They don’t always follow through on publishing, but the threat is enough.

They also call victims directly, sometimes multiple times. In some documented cases, they’ve threatened to contact the victim’s largest clients by name and disclose the breach if payment isn’t made.

Ransom demands between April 2024 and April 2025 ranged from $1 million to $8 million depending on the target’s size and ability to pay. Earlier operations saw demands of 2 to 78 Bitcoin.

Technical Deep Dive: How the Magic Happens

Let’s get into the weeds on exactly how these operations work at a technical level.

The Phishing Infrastructure

Luna Moth has invested heavily in infrastructure that supports their social engineering operations. As of March 2025, they’d registered at least 37 domains through GoDaddy, all following predictable patterns:

Domain Naming Convention

^[a-z]{1,}-help(desk){0,1}\.com$

Examples include:

These domains impersonate real law firms and financial institutions. The pattern is consistent enough to be detectable, but varies enough that simple blocklists aren’t effective.

DNS Configuration

72% of Luna Moth domains resolve through GoDaddy’s default nameservers (ns[51-52].domaincontrol.com). This consistency is actually useful for detection if you know what to look for.

TLS Certificates

89% of their phishing sites host valid TLS certificates from Let’s Encrypt. This is critical for appearing legitimate. Modern browsers warn users about sites without HTTPS, so Luna Moth ensures their fake helpdesk sites look professional.

Reamaze Integration

Luna Moth embeds AI-powered chatbots from Reamaze directly into phishing pages. Reamaze is owned by GoDaddy, which means the chatbot infrastructure appears to come from a trusted provider.

When victims submit information on phishing forms, they receive automated confirmation emails from [email protected]. Because these emails originate from GoDaddy’s infrastructure, they often bypass traditional email security filters.

The RMM Installation Process

Once a victim calls in, here’s what happens technically:

  1. Initial Contact: Victim reaches Luna Moth call center
  2. Social Engineering: Operator establishes trust, creates urgency
  3. Tool Delivery: Operator emails a link or directs victim to a fake company helpdesk site
  4. Download and Install: Victim downloads RMM client (often Zoho Assist, AnyDesk, etc.)
  5. Session Initialization: Victim launches the RMM tool and provides session ID to operator
  6. Screen Blanking: Once connected, operator often blanks the screen to hide subsequent actions
  7. Additional Tools: Operator installs secondary RMM tools for redundancy
  8. Overnight Access: Operator tells victim they’ll work “overnight” to resolve the issue

The beauty of this approach is that the victim generates the logs themselves. They downloaded the tool. They launched it. They provided the session ID. From a forensic perspective, this looks like legitimate IT support activity.

Data Exfiltration Technical Details

WinSCP Usage

WinSCP connects via SFTP (SSH File Transfer Protocol) over port 22. The protocol provides:

From a network monitoring perspective, this looks like standard secure file transfer. Unless you’re doing SSL/TLS inspection (which breaks SSH), you can’t see what files are being transferred.

WinSCP Portable is particularly nasty from a forensics perspective because:

Rclone Configuration

Rclone can sync to over 70 cloud storage providers. Luna Moth’s preferred targets include:

Rclone uses standard cloud provider APIs, which means the traffic looks like normal cloud storage access. Many organizations explicitly allow this traffic because employees legitimately use cloud storage services.

Network Infrastructure

Luna Moth’s exfiltration infrastructure shows some consistent patterns:

IP Ranges: 72% of their domains point to IP ranges in the 192.236.x.x subnet

Hosting Providers: They’ve been observed using Hostwinds for some infrastructure

Cloud Storage: 61% of operations link to S3 buckets with naming patterns like clientdata-<victim>-backup

Forensic Considerations and Limitations

Here’s where things get uncomfortable for defenders. Luna Moth operations are specifically designed to leave minimal forensic evidence, and they’re extremely effective at it.

What You Won’t Find

No Malware

There’s literally no malicious code to analyze. Every tool Luna Moth uses is legitimate software doing exactly what it’s designed to do. You can’t submit samples to VirusTotal because there are no samples. You can’t write YARA rules because there’s nothing malicious to match.

No Exploit Artifacts

Luna Moth doesn’t exploit vulnerabilities. They don’t need to. The victim installs everything themselves. There are no exploitation artifacts, no vulnerability scanner logs, no failed exploit attempts.

No Malicious Persistence Mechanisms

When Luna Moth establishes persistence, they do it through legitimate RMM software installation. The scheduled tasks, services, or startup entries look completely normal because they are normal for that software.

No Command and Control Beaconing

Traditional C2 detection looks for periodic beaconing, suspicious domains, strange user agents, or unusual network patterns. Luna Moth’s C2 is an RMM session, which uses the vendor’s standard infrastructure. It looks like every other RMM session in your environment.

Limited File System Artifacts

If Luna Moth uses WinSCP Portable and runs it from a temp directory, the artifacts are minimal:

That’s about it. And those artifacts are easily cleaned up or lost during normal system use.

What You Might Find (If You’re Lucky)

RMM Tool Installation Logs

If the victim had admin rights and Luna Moth properly installed an RMM tool, you’ll have:

But remember, these look completely legitimate because they are legitimate software.

Network Connection Logs

If you have robust network logging, you might catch:

The challenge is distinguishing this from legitimate use of the same tools by your own IT staff.

Email Artifacts

The initial phishing email might still be in the user’s mailbox. The RMM tool vendor probably sent confirmation emails when the user created a session. But these emails look legitimate because, again, they are legitimate communications from real vendors.

File Access Logs

If you have robust file system auditing enabled (Sysmon, EDR, etc.), you might see:

But this requires having those logs enabled before the incident, and having enough storage to keep them.

The Timeline Problem

Even if you detect a Luna Moth intrusion quickly, you face a significant timeline problem. In cases where Luna Moth established persistence, data exfiltration often occurred hours to weeks after initial contact. By the time you detect the activity:

In cases where the victim didn’t have admin rights, Luna Moth exfiltrated everything they could during the initial call. Your detection window is measured in minutes to hours, not days.

The Attribution Problem

Everything Luna Moth does is within the normal operational parameters of legitimate tools. This makes attribution incredibly difficult. How do you prove that a specific RMM session was malicious when the user initiated it themselves?

The social engineering aspect leaves almost no technical evidence. You might have call logs if the victim called the fake number, but if Luna Moth called them directly, you might not even have that.

Detection and Hunting

Given the limitations above, detecting Luna Moth requires a different approach than traditional threat hunting. You’re not hunting for malware. You’re hunting for anomalous behavior using legitimate tools.

Email-Based Detection

Phishing Email Indicators

Look for emails containing:

Domain Pattern Detection

Block or alert on domains matching:

^[a-z]{1,}-help(desk){0,1}\.com$

Filter for:

RMM Tool Monitoring

Unauthorized RMM Tool Deployment

Alert on execution of RMM tools that aren’t part of your authorized toolset:

Closing Assessment

Luna Moth represents a maturation of social engineering attacks into something that’s genuinely difficult to defend against using traditional security controls. They’ve stripped away all the technical complexity that usually gives defenders visibility, and replaced it with human manipulation and legitimate tools.

This is what peak cybercrime efficiency looks like. No malware development costs. No exploit research. No infrastructure to maintain beyond call centers and domain registration. The tools they need already exist, are digitally signed, and are explicitly allowed by security controls because IT uses them every day.

From a pure cost-benefit analysis, Luna Moth’s approach is brilliant. They’ve figured out that the weakest link isn’t technical - it’s people who want to be helpful when someone claiming to be IT calls with an urgent problem.

What makes them particularly dangerous:

References