New Luna Moth Domains Attacking Users Via Weaponized Helpdesk Domains

Security researchers from EclecticIQ, supported by additional findings from Silent Push, have uncovered a methodical approach to domain registration that enables cybersecurity professionals to proactively identify and track new attack infrastructure. “Luna Moth’s choice of victims shows a deliberate focus on high-trust service sectors, especially legal, financial, and insurance firms, where sensitive data is widespread and closely tied to both reputation and regulatory compliance,” notes the EclecticIQ report. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The group has evolved beyond traditional phishing techniques that rely on malicious attachments or links, instead employing telephone-oriented attack delivery (TOAD) methods that begin with seemingly benign emails directing recipients to call fake helpdesk numbers. These chatbots engage victims in real-time, guiding them toward installing remote monitoring and management (RMM) tools like AnyDesk, TeamViewer, and ScreenConnect-all legitimate software that grants attackers hands-on keyboard access without deploying malware. Building on EclecticIQ’s research, security firm Silent Push has developed a methodology to identify newly created Luna Moth domains. Kaaviya is a Security Editor and fellow reporter with Cyber Security News. Organizations should also regularly monitor for new domain registrations that may target their brand using the methodology outlined by security researchers. A sophisticated new strain of malware dubbed "Chimera" has emerged in 2025, representing a significant evolution in cyber threats. She is covering various cyber security incidents happening in the Cyber Space.

This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 05 May 2025 09:40:02 +0000


Cyber News related to New Luna Moth Domains Attacking Users Via Weaponized Helpdesk Domains

Luna Moth extortion hackers pose as IT help desks to breach US firms - Luna Moth, known internally as Silent Ransom Group, are threat actors who previously conducted BazarCall campaigns as a way to gain initial access to corporate networks for Ryuk, and later, Conti ransomware attacks. The data-theft extortion ...
3 weeks ago Bleepingcomputer.com
New Luna Moth Domains Attacking Users Via Weaponized Helpdesk Domains - Security researchers from EclecticIQ, supported by additional findings from Silent Push, have uncovered a methodical approach to domain registration that enables cybersecurity professionals to proactively identify and track new attack infrastructure. ...
3 weeks ago Cybersecuritynews.com Chimera
Securing helpdesks from hackers: What we can learn from the MGM breach - In the wake of the MGM Resorts service desk hack, it's clear that organizations need to rethink their approach to security, particularly when it comes to verifying the identity of employees contacting the helpdesk. In this article, we'll explore how ...
1 year ago Bleepingcomputer.com
Toward Ending the Domain Wars: Early Detection of Malicious Stockpiled Domains - The two main advantages of detecting stockpiled domains are expanding coverage of malicious domains and providing patient-zero detections as attackers stock up on domains for future use. As of July 2023, our detection pipeline has found 1,114,499 ...
1 year ago Unit42.paloaltonetworks.com
InfectedSlurs Botnet Spreads Mirai via Zero-Days - The payload targets routers and network video recorder devices with default admin credentials and installs Mirai variants when successful. Until November 9, 2023, the vulnerable devices being targeted were unknown. Since both the name and the version ...
1 year ago Akamai.com
The age of weaponized LLMs is here - It's exactly what one researcher, Julian Hazell, was able to simulate, adding to a collection of studies that, altogether, signify a seismic shift in cyber threats: the era of weaponized LLMs is here. The research all adds up to one thing: LLMs are ...
1 year ago Venturebeat.com
IT helpdeskers increasingly targeted by cybercriminals The Register - It's not a novel phenomenon, nor is it being carried out in a very sophisticated way, Red Canary's latest threat report notes, yet the trend is growing and miscreants are seeing greater rates of success. Keen infosec watchers will remember last year ...
1 year ago Go.theregister.com Scattered Spider
IT helpdeskers increasingly targeted by cybercriminals The Register - It's not a novel phenomenon, nor is it being carried out in a very sophisticated way, Red Canary's latest threat report notes, yet the trend is growing and miscreants are seeing greater rates of success. Keen infosec watchers will remember last year ...
1 year ago Theregister.com Scattered Spider
Cloudflare loses 22% of its domains in Freenom.tk shutdown - A staggering 12.6 million domains on TLDs controlled by Freenom have been shut down and no longer resolve, leading to a significant reduction in the number of websites hosted by Cloudflare. The disappearance of these websites was spotted during our ...
1 year ago Netcraft.com
AsyncRAT Loader Delivers Malware via JavaScript - For at least 11 months, this threat actor has been working on delivering the Remote Access Trojan through an initial JavaScript file, embedded in a phishing page. After more than 300 samples and over 100 domains later, the threat actor is persistent ...
1 year ago Cybersecurity-insiders.com
Threat Actors Registered 26k+ Domains Mimic Brands to Trick Users - These malicious domains serve as landing pages for sophisticated smishing (SMS phishing) campaigns, where unsuspecting users receive text messages containing links to what appear to be legitimate services. The domains follow specific naming patterns ...
1 month ago Cybersecuritynews.com Cloak
Imperva Client-Side Protection Mitigates the Polyfill Supply Chain Attack - The recent discovery of a website supply chain attack using the cdn. Polyfill.io domain has left many websites vulnerable to malicious code injection. Once a trusted resource for adding JavaScript polyfills to websites, the domain has recently become ...
10 months ago Imperva.com
Detectify platform enhancements address growing attack surface complexity - Detectify announced a new Domains page and major improvements to existing capabilities for setting custom attack surface policies. These updates bring control over attack surface data and enable organizations to seamlessly configure alerts for policy ...
1 year ago Helpnetsecurity.com
Researchers Hunted Malicious Stockpiled Domains DNS Records - Malicious stockpiled domains are the collection of domain names that threat actors acquire in advance for several types of future malicious activities like:-. While all these domains are often kept unused initially to evade detection, and then later ...
1 year ago Cybersecuritynews.com
CVE-2020-25600 - An issue was discovered in Xen through 4.14.x. Out of bounds event channels are available to 32-bit x86 domains. The so called 2-level event channel model imposes different limits on the number of usable event channels for 32-bit x86 domains vs ...
3 years ago
Hunting for malicious domains with VT Intelligence ~ VirusTotal Blog - Please note that this blogpost is part of our #VTMondays series, check out our collection of past publications here. Many cyberattacks begin by victims visiting compromised websites that host malware or phishing scams, threat actors use domains for ...
1 year ago Blog.virustotal.com
260 Domains Hosting 5,000 Weaponized PDF Files Attacking Users - Since late 2024, a sophisticated phishing operation leveraging 260 domains to host over 5,000 weaponized PDF files has targeted users across North America, Asia, and Southern Europe. Cyber Security News is a Dedicated News Platform For Cyber News, ...
3 months ago Cybersecuritynews.com
Zero-Day Alert: Lace Tempest Exploits SysAid IT Support Software Vulnerability - The threat actor known as Lace Tempest has been linked to the exploitation of a zero-day flaw in SysAid IT support software in limited attacks, according to new findings from Microsoft. Lace Tempest, which is known for distributing the Cl0p ...
1 year ago Thehackernews.com CVE-2023-47246
Weaponized Signal, Line, and Gmail Apps Delivers Malware That Changes System Defenses - These fake and weaponized apps are distributed via deceptive download pages that deliver malware capable of altering system defenses, evading detection, and exfiltrating sensitive data. The attackers exploit search engine manipulation to push ...
3 months ago Cybersecuritynews.com
Kimsuky Group Using Weaponized file Deploy AppleSeed Malware - Hackers use weaponized LNK files to exploit vulnerabilities in Windows operating systems. These files often contain malicious code that can be executed when the user clicks on the shortcut. These weaponized files allow threat actors to perform ...
1 year ago Cybersecuritynews.com Kimsuky
Spooky action: Phantom domains create hijackable hyperlinks - Links to phantom domains don’t pose an inherent risk — so long as companies ensure they review websites for misspelled URLs and remove any placeholder links, hijacked hyperlinks are impossible. From an education standpoint, enterprises ...
7 months ago Securityintelligence.com
East Texas hospital network can't receive ambulances because of potential cybersecurity incident - GetTime();if(!(u<=a&&d<=l throw new RangeError("Invalid interval");return r.inclusive?u<=l&&d<=a:ut||isNaN(t. Step):1;if(s<1||isNaN(s throw new RangeError("`options. Step):1;if(l<1||isNaN(l throw new RangeError("`options. GetTime()<=n throw new ...
1 year ago Cnn.com
Typosquatting Wave Shows No Signs of Abating - One of the most enduring of these exploits is the practice of typosquatting - i.e., using look-alike websites and domain names to lend legitimacy to social engineering efforts. These look-alikes prey on users' inattention to verifying legitimate ...
1 year ago Darkreading.com
Weaponized PDF Documents Deliver Lumma InfoStealer Attacking Educational Institutions - Security analysts at Cloudsek noted that the malware employs advanced evasion techniques like obfuscated scripts and encrypted communications with Command-and-Control (C2) servers. This sophisticated campaign exploits malicious LNK (shortcut) files ...
3 months ago Cybersecuritynews.com
Criminal IP and Quad9 Collaborate to Exchange Domain and IP Threat Intelligence - Criminal IP, a renowned Cyber Threat Intelligence search engine developed by AI SPERA, has recently signed a technology partnership to exchange threat intelligence data based on domains and potentially on the IP address to protect users by blocking ...
1 year ago Hackread.com