This hacker group is posing as IT helpdesk workers to target enterprises – and researchers warn its social engineering techniques are exceptionally hard to spot

Hackers are ramping up phishing campaigns involving fake helpdesk domains to target the legal, financial services, and accounting sectors in the US.

According to researchers at EclecticIQ, with the help of threat researchers Silent Push, the Luna Moth group - also known as Silent Ransom Group, UNC3753, and Storm-0252 - has carried out a flurry of 'callback phishing' attacks since March this year.

The group is believed to be linked to the 2021 BazarCall campaign, known for deploying Conti and Ryuk ransomware. However, it's recently turned its focus to data theft and extortion, threatening to expose stolen data on a dedicated leak site and demanding seven-figure ransoms.

In a blog post detailing the group’s TTP’s, researchers said the campaign begins with a phishing email that lures its victim into calling a fake helpdesk number. Here, live operators posing as IT staff deceive victims into installing remote monitoring and management (RMM) tools.

These applications, which include Syncro, SuperOps, Zoho Assist, Atera, AnyDesk, and Splashtop won't be flagged by security software as they're legitimate tools, researchers noted.

However, once installed, they give the attackers access to sensitive data.

Luna Moth then threatens to leak the data publicly on its own clearweb domain unless the victims pay a ransom of between $1 million and $8 million.

In order to collect victim data, the attackers have also registered typosquatted domains via GoDaddy, impersonating US firms to collect contact details and enable targeted social engineering.

Typical examples include [company_name]-helpdesk.com and [company_name]helpdesk.com.

"As of March 2025, EclecticIQ assesses with high confidence that Luna Moth has likely registered at least 37 domains through GoDaddy to support its callback-phishing campaigns," researchers said.

"Most of these domains impersonate IT helpdesk or support portals for major US law firms and financial services firms, using typosquatted patterns."

One example impersonated a US-based law firm, with a Contact Us form collecting names, emails, and a message from the victim, enabling attackers to identify high-value targets. Another uses a 'CISO Helpdesk’ lure.

"By impersonating a helpdesk for Chief Information Security Officers (CISOs), the phishing page leverages the authority and urgency typically associated with executive security communications," said the researchers.

"This approach is designed to increase victim compliance and maximize the chances of compromising privileged accounts within the target organization."

Luna Moth tactics are hard to spot

EclecticIQ warned that Luna Moth’s activities can be hard to spot as no malicious links or attachments appear in the phishing emails. Similarly, victims are installing signed, legitimate software themselves.

Meanwhile, few security tools can handle voice interactions and activity remains local to the infected machine and network.

"This slow-paced, trust-based approach slips past both signature-based and behavioral threat detection, revealing a critical blind spot in modern security architectures," they said.

The best strategy is to lock or restrict installations of Zoho Assist, AnyDesk, and other RMM tools unless they've been explicitly approved, researchers advised.

Organizations should track the use of RMM tools and file transfer utilities like WinSCP or Rclone for suspicious parameters and execution patterns.

They should also use email rules to flag messages from impersonated helpdesk domains, and give staff regular training on social engineering to help spot spoofed invoices and verify suspicious support requests.

MORE FROM ITPRO

• Hackers are duping developers with malware-laden coding challenges
• Fake file converter tools are on the rise – here’s what you need to know
• Why government email servers are top targets for state-backed hackers