Luna Moths Novel, Malware-Free Extortion Campaign Takes Flight

Luna Moth is relying solely on call-back phishing, as well as legitimate tools, to steal data and extract ransoms from victims of all stripes in an expanding cyberattack effort.

Researchers have spotted a threat actor that has managed to extort hundreds of thousands of dollars over the last few months from mostly small and midsize businesses — without using any encryption tools or malware.
Instead, the attacker — dubbed Luna Moth (aka the Silent ransomware group) has been using an array of legitimate tools and a technique dubbed call-back phishing. The tactic is to steal sensitive data from victim organizations and use it as leverage to extort money from them.
Most of the attacks so far have targeted smaller organizations in the legal industry; more recently, though, the adversary has begun going after larger companies in the retail sector as well, researchers from Palo Alto Networks Unit 42 said in a report Monday. The evolution of the attacks suggests the threat actor has become more efficient with its tactics and now presents a danger to businesses of all sizes, the security vendor warned.
We are seeing this tactic successfully targeting all sizes of businesses — from large retailers to small/medium sized legal organization says Kristopher Russo, senior threat researcher with Unit 42 at Palo Alto Networks. Because social engineering targets individuals, the size of the company does not offer much protection.
Call-back phishing is a tactic that security researchers first observed the Conti ransomware group using more than a year ago in a campaign to install BazarLoader malware on victim systems.
The scam starts with an adversary sending a phishing email to a specific, targeted individual at a victim organization. The phishing email is custom made for the recipient, originates from a legitimate email service, and involves some kind of a lure to get the user to initiate a phone call with the attacker.
In the Luna Moth incidents that
Unit 42 researchers observed
, the phishing email contains an invoice — in the form of a PDF file — for a subscription service in the recipients name. The attackers inform the victim the subscription will soon become active and get billed to the credit card number on file. The email provides a phone number to a purported call center — or sometimes multiple numbers — that users can call if they had questions about the invoice. Some of the invoices have logos of a well-known company on top of the page.
This invoice even includes a unique tracking number used by the call center, Russo says. So, when the victim calls the number to dispute the invoice, they look like a legitimate business.
The attackers then convince users who called to initiate a remote session with them using the Zoho Assist remote support tool. Once the victim is connected to the remote session, the attacker takes control of the victims keyboard and mouse, enables access to the clipboard, and blanks out the users screen, Unit 42 said.
After the attackers have accomplished that, their next step has been to install the legitimate Syncro remote support software for maintaining persistence on the victims machine. They have also deployed other legit tools such as Rclone or WinSCP to steal data from it.
Security tools rarely flag these products as suspicious
because administrators have legitimate use cases for them in an environment.
In early attacks, the adversary installed multiple remote monitoring and management tools such as Atera and Splashtop on victim systems, but lately they appear to have whittled down their toolkit, Unit 42 said.
If a victim does not have administrative rights on their system, the attacker eschews any attempt to maintain persistence on it and instead goes straight to stealing data by leveraging WinSCP Portable.
In cases where the attacker established persistence, exfiltration occurred hours to weeks after initial contact. Otherwise, the attacker only exfiltrated what they could during the call, Unit 42 said in its report.
The Luna Moth group has typically gone after data that, when leveraged, will apply the most pressure to the victim, Russo says. In targeting legal firms, the attacker appeared to have a good knowledge of the industry, knowing the kind of data that would likely cause the most harm in the wrong hands.
In the cases that Unit 42 investigated, they targeted sensitive and confidential data of the law firms clients, Russo explains. The attacker reviewed the data they stole and included a sample of the most damaging data they stole in the extortion email.
In many attacks, the adversary called out the victims largest clients by name and threatened to contact them if the victim organization did not pay the demanded ransom — which typically has ranged from 2 to 78 Bitcoin.
In the cases Unit 42 has investigated, the attackers did not move laterally once they had gained access to a victims machine. However, they do continue to monitor the compromised computer if the victim has admin credentials — even going so far as to call and taunt the victims if they detect remediation efforts, Russo says.
Sygnia, one of the first to report on Luna Moths activities, described the group as likely surfacing in March. The security vendor said it had
observed the threat actor
using commercially available remote access tools such as Atera, Splashtop, and Syncro, as well as AnyDesk for persistence. Sygnia said its researchers had also observed the threat actor using other legitimate tools such as SoftPerfect network scanner for reconnaissance and SharpShares for network enumeration. The attackers tactic has been to store the tools on compromised systems with names that spoof legitimate binaries, Sygnia said.
The threat actor in this campaign specifically seeks to minimize their digital footprint to evade most technical security control, Russo says.
Because they have been relying entirely on social engineering and legitimate tools in the campaign, the attacks leave very few artifacts, Unit 42 said. Thus, we recommend that organizations of all sizes conduct security awareness training for employees to protect against the new threat, Russo says.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Luna Moths Novel, Malware-Free Extortion Campaign Takes Flight