Hackers posing as IT support are tricking U.S. employees into installing remote access tools for stealthy data theft and extortion.
A cybercriminal group known as Luna Moth, also called the Silent Ransom Group (SRG), has intensified its data theft and extortion campaigns targeting legal and financial institutions in the United States. According to researchers at EclecticIQ, the group has adopted sophisticated callback phishing tactics, posing as internal IT help desks to deceive employees into granting remote access.
These latest attacks, detected as of March 2025, do not involve malware or ransomware. Instead, Luna Moth relies entirely on social engineering, luring victims into calling fake support numbers and installing remote monitoring tools that give attackers full access to their systems.
Luna Moth emerged from the BazarCall operators once tied to the now-defunct Conti ransomware syndicate. Following Conti’s collapse in 2022, the group rebranded as Silent Ransom Group and began operating independently. In their latest campaign, they've shifted away from ransomware entirely, opting instead for data exfiltration and extortion.
The group has registered at least 37 spoofed domains impersonating IT support portals for major U.S. companies, using typosquatted formats such as [company]-helpdesk.com. Victims receive phishing emails urging them to call these numbers to resolve fabricated account or system issues. Once on the call, attackers impersonate IT staff and convince victims to install legitimate remote access tools like AnyDesk, Zoho Assist, Atera, or Syncro.
After installation, the attackers manually navigate the compromised system, search for sensitive files, and extract them using tools like WinSCP or Rclone. The stolen data is then used to its advantage: the group contacts the victim and threatens to leak the data on its public extortion site unless a ransom is paid, often demanding between $1 million and $8 million.
EclecticIQ researcher Arda Büyükkaya outlined the stealth of Luna Moth’s methods, stating that the attacks rely on deception rather than malware. “The victims simply install an RMM tool themselves, thinking they are receiving help desk support,” he noted.
Because the tools used are legitimate and digitally signed, they evade detection by most security software, making the attacks harder to detect in real time. EclecticIQ has provided a list of indicators of compromise (IoCs), including malicious domains and IPs, and recommends organizations restrict the execution of unused RMM tools as a preventive measure.
Luna Moth’s playbook doesn’t rely on technical sophistication, it preys on trust. By mimicking the familiar language and behavior of internal IT teams, these attacks expose a growing blind spot in cybersecurity: people, not just systems. As businesses lean more heavily on remote tools and digital workflows, the weakest link isn’t a firewall, it’s an employee who thinks they’re doing the right thing.
They use real, trusted remote access tools, so security software doesn’t flag them as malicious.
They impersonate internal IT support and create urgency around fake accounts or security issues.
Exfiltrating data quietly lets them avoid detection and still demand massive payouts.
Block unused remote tools, train staff to verify IT requests, and monitor for abnormal file transfers.
Firms in legal, finance, or healthcare, anywhere employees trust internal IT and handle sensitive data.