The cybercriminal group known as Luna Moth, also referred to as Silent Ransom Group, UNC3753, and Storm-0252, has intensified its phishing campaigns since March 2025, focusing on high-value targets within the legal and financial sectors in the United States. Recent investigations by security firms EclecticIQ and Silent Push have unveiled a sophisticated strategy involving the registration of typosquatted domains designed to impersonate legitimate IT support portals.
Domain Registration and Naming Conventions
Luna Moth has registered at least 37 domains through GoDaddy, with indications that the number may exceed 50 unique domains. These domains adhere to a consistent naming pattern, typically formatted as [company_name]-helpdesk.com or [company_name]helpdesk.com. This deliberate mimicry aims to deceive users into believing they are interacting with their organization’s genuine IT support services.
Shift to Telephone-Oriented Attack Delivery (TOAD)
Moving beyond traditional phishing methods that rely on malicious attachments or links, Luna Moth employs telephone-oriented attack delivery (TOAD) techniques. This approach begins with seemingly innocuous emails prompting recipients to call fraudulent helpdesk numbers. Once engaged, victims are guided through interactions that lead to the installation of remote monitoring and management (RMM) tools, granting attackers unauthorized access to systems.
Exploitation of AI-Powered Chatbots
A particularly concerning development in Luna Moth’s tactics is the weaponization of Reamaze, a legitimate customer support platform owned by GoDaddy. The group embeds AI-powered chatbots into their phishing pages to simulate authentic IT helpdesk interactions. These chatbots engage victims in real-time, guiding them toward installing RMM tools such as AnyDesk, TeamViewer, and ScreenConnect. By leveraging legitimate software, attackers achieve hands-on access without deploying traditional malware, thereby evading many security detections.
Methodology for Identifying Malicious Domains
Building on EclecticIQ’s research, security firm Silent Push has developed a methodology to identify newly created Luna Moth domains. Their approach utilizes specific search criteria:
– Regular expression pattern ^[a-z]{1,}-help(desk){0,1}.com$ to capture helpdesk-themed domains
– GoDaddy as the registrar
– Domaincontrol.com as the nameserver provider
– Creation date filter after March 2025
This search technique has uncovered approximately 50 unique domains targeting major law firms, including examples like duanemorris-helpdesk.com, perkinscoie-helpdesk.com, and millermartin-helpdesk.com.
Industry Focus and Victimology
Luna Moth’s campaign demonstrates a clear industry focus, with legal firms accounting for 40.28% of victims, followed by financial services (23.61%) and accounting (13.89%). This deliberate targeting underscores the group’s intent to exploit sectors where sensitive data is prevalent and closely tied to both reputation and regulatory compliance.
Attack Progression and Data Exfiltration
After gaining access through the installation of RMM tools, attackers conduct reconnaissance to identify valuable information on the victim’s computer and connected file shares. They then quietly exfiltrate data to a server they control using file transfer tools like WinSCP and Rclone. Following data exfiltration, victims receive extortion emails demanding ransoms between $1 million and $8 million USD, with threats to publicly release the stolen information if demands are not met. The group’s dedicated leak site, business-data-leaks[.]com, serves as a platform for such disclosures.
Recommendations for Mitigation
Security professionals are advised to implement enhanced email security measures to detect and block phishing attempts. Educating employees about callback phishing techniques and the risks associated with unsolicited communications is crucial. Developing detection rules for unexpected RMM tool installations can help identify unauthorized access. Additionally, organizations should regularly monitor for new domain registrations that may target their brand, enabling proactive defense against such impersonation tactics.
Conclusion
Luna Moth’s evolving tactics highlight the increasing sophistication of phishing campaigns targeting high-trust service sectors. By leveraging legitimate tools and platforms, the group effectively bypasses traditional security measures, emphasizing the need for continuous vigilance and adaptive security strategies within organizations.
