This hacker group is posing as IT helpdesk workers to target enterprises – and researchers warn its social engineering techniques are exceptionally hard to spot
Luna Moth’s activities can be hard to spot, researchers said, citing 'a critical blind spot in modern security architectures'


Hackers are ramping up phishing campaigns involving fake helpdesk domains to target the legal, financial services, and accounting sectors in the US.
According to researchers at EclecticIQ, with the help of threat researchers Silent Push, the Luna Moth group - also known as Silent Ransom Group, UNC3753, and Storm-0252 - has carried out a flurry of 'callback phishing' attacks since March this year.
The group is believed to be linked to the 2021 BazarCall campaign, known for deploying Conti and Ryuk ransomware. However, it's recently turned its focus to data theft and extortion, threatening to expose stolen data on a dedicated leak site and demanding seven-figure ransoms.
In a blog post detailing the group’s TTP’s, researchers said the campaign begins with a phishing email that lures its victim into calling a fake helpdesk number. Here, live operators posing as IT staff deceive victims into installing remote monitoring and management (RMM) tools.
These applications, which include Syncro, SuperOps, Zoho Assist, Atera, AnyDesk, and Splashtop won't be flagged by security software as they're legitimate tools, researchers noted.
However, once installed, they give the attackers access to sensitive data.
Luna Moth then threatens to leak the data publicly on its own clearweb domain unless the victims pay a ransom of between $1 million and $8 million.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
In order to collect victim data, the attackers have also registered typosquatted domains via GoDaddy, impersonating US firms to collect contact details and enable targeted social engineering.
Typical examples include [company_name]-helpdesk.com and [company_name]helpdesk.com.
"As of March 2025, EclecticIQ assesses with high confidence that Luna Moth has likely registered at least 37 domains through GoDaddy to support its callback-phishing campaigns," researchers said.
"Most of these domains impersonate IT helpdesk or support portals for major US law firms and financial services firms, using typosquatted patterns."
One example impersonated a US-based law firm, with a Contact Us form collecting names, emails, and a message from the victim, enabling attackers to identify high-value targets. Another uses a 'CISO Helpdesk’ lure.
"By impersonating a helpdesk for Chief Information Security Officers (CISOs), the phishing page leverages the authority and urgency typically associated with executive security communications," said the researchers.
"This approach is designed to increase victim compliance and maximize the chances of compromising privileged accounts within the target organization."
Luna Moth tactics are hard to spot
EclecticIQ warned that Luna Moth’s activities can be hard to spot as no malicious links or attachments appear in the phishing emails. Similarly, victims are installing signed, legitimate software themselves.
Meanwhile, few security tools can handle voice interactions and activity remains local to the infected machine and network.
"This slow-paced, trust-based approach slips past both signature-based and behavioral threat detection, revealing a critical blind spot in modern security architectures," they said.
The best strategy is to lock or restrict installations of Zoho Assist, AnyDesk, and other RMM tools unless they've been explicitly approved, researchers advised.
Organizations should track the use of RMM tools and file transfer utilities like WinSCP or Rclone for suspicious parameters and execution patterns.
They should also use email rules to flag messages from impersonated helpdesk domains, and give staff regular training on social engineering to help spot spoofed invoices and verify suspicious support requests.
MORE FROM ITPRO
- Hackers are duping developers with malware-laden coding challenges
- Fake file converter tools are on the rise – here’s what you need to know
- Why government email servers are top targets for state-backed hackers
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.
-
Marc Benioff warns Microsoft could repeat 'pretty nasty’ Slack playbook with OpenAI
News Salesforce CEO Marc Benioff has claimed Microsoft did "horrible things" to Slack prior to its acquisition - and warned the company could be set to repeat its playbook with OpenAI.
-
Cyber attacks have rocked UK retailers – here's how you can stay safe
News Following recent attacks on retailers, the NCSC urges other firms to make sure they don't fall victim too
-
Healthcare organizations are turning a blind eye to phishing attacks
News A survey reveals that most attacks go unreported, putting patient data at risk
-
Hackers are using Zoom’s remote control feature to infect devices with malware
News Security experts have issued an alert over a new social engineering campaign using Zoom’s remote control features to take over victim devices.
-
State-sponsored cyber groups are flocking to the 'ClickFix' social engineering technique
News State-sponsored hackers from North Korea, Iran, and Russia are exploiting the ‘ClickFix’ social engineering technique for the first time – and to great success.
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackers
News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Have I Been Pwned owner Troy Hunt’s mailing list compromised in phishing attack
Troy Hunt, the security blogger behind data-breach site Have I Been Pwned, has fallen victim to a phishing attack targeting his email subscriber list.
-
Security experts warn of ‘contradictory confidence’ over critical infrastructure threats
News Almost all critical national infrastructure (CNI) organizations in the UK (95%) experienced a data breach in the last year, according to new research.
-
Healthcare organizations need to shake up email security practices
News Microsoft 365 is the source of almost half of all healthcare email breaches, thanks mainly to misconfigurations in security settings.
-
Google is dropping SMS authentication for QR codes
News Google appears finally ready to deprecate using SMS codes for multi-factor authentication (MFA) for Gmail according to insiders at the search giant.