FBI Warns of Luna Moth Callback Phishing Campaigns Targeting U.S. Law Firms

The U.S. Federal Bureau of Investigation (FBI) has issued an alert regarding an ongoing social engineering and extortion campaign orchestrated by a criminal threat group known as Luna Moth, which has been targeting law firms and legal entities over the past two years.

  North America Cyber affairs News   May 27, 2025  Add to Reading List
FBI Warns of Luna Moth Callback Phishing Campaigns Targeting U.S. Law Firms

The U.S. Federal Bureau of Investigation (FBI) has issued an alert regarding an ongoing social engineering and extortion campaign orchestrated by a criminal threat group known as Luna Moth, which has been targeting law firms and legal entities over the past two years.

Also referred to as Chatty Spider, Silent Ransom Group (SRG), Storm-0252, and UNC3753, Luna Moth is infamous for deploying callback phishing (TOAD – telephone-oriented attack delivery) and leveraging IT-themed lures to trick users into granting remote access to their systems.

Callback Phishing: The Core Tactic

The group's signature move involves sending phishing emails disguised as subscription or invoice alerts, urging recipients to call a fake customer support number to cancel a bogus charge.

During the call, the victim is manipulated into installing remote access software such as:

  • Zoho Assist

  • Syncro

  • AnyDesk

  • Splashtop

  • Atera

Once installed, these tools provide unauthorized access to the system, allowing attackers to steal sensitive data and issue extortion demands, threatening to publish the data on leak sites or sell it to cybercriminals.

Evolution of Tactics in 2025

Since March 2025, Luna Moth has escalated their tactics, now directly calling targets while impersonating IT staff from within the victim’s organization.

Victims are instructed to:

  • Join a remote access session via a link or by visiting a specific site

  • Leave their system “on overnight” for supposed maintenance

Once access is gained, the attackers use legitimate tools such as:

  • Rclone or WinSCP – for data exfiltration

  • WinSCP Portable – in environments lacking administrative privileges

These legitimate tools help the attackers evade detection, since they're commonly used in real enterprise IT environments and not always flagged by antivirus software.

Technical Indicators and Detection

Security teams are advised to monitor for the following indicators:

  • Unexpected Rclone or WinSCP traffic to external IPs

  • Emails referencing premium subscriptions with a callback number

  • Voicemails or emails from unidentified groups claiming data theft

  • Unsolicited IT support phone calls

  • Newly registered domains spoofing helpdesk portals (e.g., vorys-helpdesk[.]com)

A recent investigation by EclecticIQ and Silent Push noted at least 37 spoofed domains registered via GoDaddy, often beginning with the target's business name and hosted on domaincontrol[.]com nameservers.

Recommendations for Organizations

The FBI and cybersecurity experts urge defenders to:

  • Educate employees on callback phishing tactics and how to recognize social engineering attempts

  • Verify all IT-related communications, especially those involving remote access requests

  • Monitor for the installation or execution of unauthorized remote support software

  • Block or restrict file transfer tools like Rclone and WinSCP, where possible

  • Harden access controls and review helpdesk-related domain registrations

Conclusion

Luna Moth’s continued operations and refined tactics underscore the growing blending of social engineering with legitimate tools to bypass traditional defenses. Organizations in the legal, financial, and professional services sectors are particularly urged to bolster awareness and implement strong endpoint monitoring to detect such stealthy intrusions.