Hackers posing as IT support are tricking U.S. employees into installing remote access tools for stealthy data theft and extortion.
What happened
A cybercriminal group known as Luna Moth, also called the Silent Ransom Group (SRG), has intensified its data theft and extortion campaigns targeting legal and financial institutions in the United States. According to researchers at EclecticIQ, the group has adopted sophisticated callback phishing tactics, posing as internal IT help desks to deceive employees into granting remote access.
These latest attacks, detected as of March 2025, do not involve malware or ransomware. Instead, Luna Moth relies entirely on social engineering, luring victims into calling fake support numbers and installing remote monitoring tools that give attackers full access to their systems.
Going deeper
Luna Moth emerged from the BazarCall operators once tied to the now-defunct Conti ransomware syndicate. Following Conti’s collapse in 2022, the group rebranded as Silent Ransom Group and began operating independently. In their latest campaign, they've shifted away from ransomware entirely, opting instead for data exfiltration and extortion.
The group has registered at least 37 spoofed domains impersonating IT support portals for major U.S. companies, using typosquatted formats such as [company]-helpdesk.com. Victims receive phishing emails urging them to call these numbers to resolve fabricated account or system issues. Once on the call, attackers impersonate IT staff and convince victims to install legitimate remote access tools like AnyDesk, Zoho Assist, Atera, or Syncro.
After installation, the attackers manually navigate the compromised system, search for sensitive files, and extract them using tools like WinSCP or Rclone. The stolen data is then used to its advantage: the group contacts the victim and threatens to leak the data on its public extortion site unless a ransom is paid, often demanding between $1 million and $8 million.
What was said
EclecticIQ researcher Arda Büyükkaya outlined the stealth of Luna Moth’s methods, stating that the attacks rely on deception rather than malware. “The victims simply install an RMM tool themselves, thinking they are receiving help desk support,” he noted.
Because the tools used are legitimate and digitally signed, they evade detection by most security software, making the attacks harder to detect in real time. EclecticIQ has provided a list of indicators of compromise (IoCs), including malicious domains and IPs, and recommends organizations restrict the execution of unused RMM tools as a preventive measure.
The big picture
Luna Moth’s playbook doesn’t rely on technical sophistication, it preys on trust. By mimicking the familiar language and behavior of internal IT teams, these attacks expose a growing blind spot in cybersecurity: people, not just systems. As businesses lean more heavily on remote tools and digital workflows, the weakest link isn’t a firewall, it’s an employee who thinks they’re doing the right thing.
FAQs
What makes Luna Moth’s attacks harder to detect?
They use real, trusted remote access tools, so security software doesn’t flag them as malicious.
How do attackers get employees to cooperate?
They impersonate internal IT support and create urgency around fake accounts or security issues.
Why don’t these attacks involve ransomware anymore?
Exfiltrating data quietly lets them avoid detection and still demand massive payouts.
What should companies do right now to protect against this?
Block unused remote tools, train staff to verify IT requests, and monitor for abnormal file transfers.
Who’s most at risk from these kinds of attacks?
Firms in legal, finance, or healthcare, anywhere employees trust internal IT and handle sensitive data.
Farah Amod
