In the dynamic field of cybersecurity, Malik Haidar stands out with his exceptional expertise in handling sophisticated threats and managing hacker infiltration within some of the world’s largest companies. With a robust background in analytics, intelligence, and security, Malik brings a business-savvy approach to cybersecurity—a critical perspective in today’s digital landscape. In this interview, we delve into a timely FBI warning about a cybersecurity threat targeting law firms, known as the Luna Moth campaign.
Can you explain the recent warning issued by the FBI regarding Luna Moth’s phishing campaign?
The FBI recently issued a warning about a series of social engineering attacks by a group known as Luna Moth. They’ve been targeting law firms over the past couple of years. These attacks involve sophisticated phishing emails and IT-themed phone calls, aiming to gain remote access to sensitive systems and extort victims by stealing data.
Who is Luna Moth, and what other names are they known by?
Luna Moth is a cybercriminal group also referred to as Chatty Spider, Silent Ransom Group, Storm-0252, and UNC3753. This group has been active since at least 2022, employing various aliases as they carry out different campaigns.
How does the callback phishing or telephone-oriented attack delivery (TOAD) tactic work in Luna Moth’s campaign?
The callback phishing or TOAD tactic used by Luna Moth involves sending phishing emails that appear benign but include a number to call regarding invoice or subscription issues. When the victim calls, they are led through a series of steps that ultimately give the attackers remote access to their systems under the guise of managing a subscription cancellation.
What is the connection between Luna Moth and the previous BazarCall or BazaCall campaigns?
Luna Moth is the same hacking entity behind the BazarCall campaigns that previously focused on deploying ransomware like Conti. They emerged more prominently after the Conti syndicate’s shutdown, continuing with their social engineering toolkit.
How have Luna Moth’s tactics evolved since March 2025?
Since March 2025, Luna Moth has adapted their tactics by impersonating employees from the targeted company’s IT department. They call individuals directly, persuading them to join a remote access session to ‘perform overnight system work’, allowing the attackers to take over the device.
What specific strategies do Luna Moth actors use to trick individuals during social engineering attacks?
The Luna Moth actors utilize convincing IT-themed narratives and impersonate legitimate company personnel. They exploit common business practices around subscription renewals and IT support, making it seem as if their communication is routine business procedure, thus fooling many into complying with their requests.
Which tools are commonly used by Luna Moth actors for remote access and data exfiltration?
They often use tools like Rclone and WinSCP for data exfiltration. For remote access, they employ software such as Zoho Assist, Syncro, AnyDesk, Splashtop, or Atera. These legitimate tools make detection by security systems quite challenging.
Why might security tools fail to detect Luna Moth’s activities?
Security tools often miss these activities because the tools Luna Moth uses are legitimate software solutions for remote access and file transfer, which typically don’t trigger security alerts when used in a business context.
What signs should defenders look out for to identify potential Luna Moth threats?
Defenders should watch for unusual connections made by WinSCP or Rclone to external IPs, unsolicited calls from supposed IT staff, suspicious emails about subscription renewals requiring a callback, and any voicemails claiming data theft.
How does the use of domains and registrars play into Luna Moth’s phishing strategy?
Luna Moth utilizes helpdesk-themed domains that mimic legitimate IT support addresses of targeted organizations. They register these domains through services like GoDaddy, often using common designs and limited providers to appear credible and familiar.
What industries are primarily targeted by Luna Moth’s campaigns, and why?
Luna Moth primarily targets the legal and financial sectors, likely due to the high value and sensitivity of their data, which can be lucrative if stolen and ransomed.
How does Luna Moth employ helpdesk-themed domains in their attacks?
They register domains beginning with the business name followed by helpdesk terminology, creating a sense of authenticity and prompting victims to follow instructions, mistaking these communications as genuine.
Can you provide examples of the kinds of domains Luna Moth registers for their campaigns?
Examples include domains like vorys-helpdesk.com. These domains spoof the helpdesk of the targeted organization, designed to appear as a trustworthy and legitimate support portal.
What recommendations does the FBI provide to protect against Luna Moth’s phishing attacks?
The FBI recommends vigilance against unsolicited contact about IT issues, verifying caller identity independently, and being cautious with unexpected email directives that require urgent action like calling a provided number.
What role do email and voicemail communications play in Luna Moth’s strategy?
Email and voicemail are pivotal in Luna Moth’s attacks, as they initiate contact and introduce the deception narratives that lead to compromised access and ultimately escalated control by the attackers.
How significant is the threat posed by Luna Moth to organizations today?
Luna Moth represents a serious threat, particularly to industries that manage sensitive information. Their evolving tactics and use of legitimate software make them a potent adversary, necessitating robust cybersecurity awareness and continuous monitoring.
Do you have any advice for our readers?
Stay informed about the latest phishing tactics and ensure your organization invests in comprehensive cybersecurity training. Empower employees with the knowledge to spot and report suspicious activity, fostering a collective defense against these sophisticated threats.
