Luna Moth, known internally as Silent Ransom Group, are threat actors who previously conducted BazarCall campaigns as a way to gain initial access to corporate networks for Ryuk, and later, Conti ransomware attacks. The data-theft extortion group known as Luna Moth, aka Silent Ransom Group, has ramped up callback phishing campaigns in attacks on legal and financial institutions in the United States. A Luna Moth operator answers the call, impersonating IT staff, and convinces the victim to install remote monitoring & management (RMM) software from fake IT help desk sites that gives the attackers remote access to their machine. Luna Moths's latest attacks involve impersonating IT support through email, fake sites, and phone calls, and rely solely on social engineering and deception, with no ransomware deployment seen in any of the cases. "As of March 2025, EclecticIQ assesses with high confidence that Luna Moth has likely registered at least 37 domains through GoDaddy to support its callback-phishing campaigns," reads the EclecticIQ report. The latest activity spotted by EclecticIQ starts in March 2025, targeting U.S.-based organizations with malicious emails that contain fake helpdesk numbers recipients are urged to call to resolve non-existent problems. In March 2022, as Conti started to shut down, the BazarCall threat actors separated from the Conti syndicate and formed a new operation called Silent Ransom Group (SRG). Büyükkaya comments on the stealth of these attacks, noting that they involve no malware, malicious attachments, or links to malware-ridden sites. According to EclecticIQ researcher Arda Büyükkaya, the ultimate goal of these attacks is data theft and extortion. After the data is stolen, Luna Moth contacts the victimized organization and threatens to leak it publicly on its clearweb domain unless they pay a ransom.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 05 May 2025 22:20:16 +0000