In a recently issued advisory, the FBI has raised alarm over a sophisticated and evolving cyber threat targeting U.S. law firms. The actor behind this campaign, Luna Moth, also known as Silent Ransom Group (SRG), Chatty Spider, and Storm-0252, has demonstrated a refined ability to combine phishing emails with direct phone contact, impersonating internal IT staff to deceive employees.
Once access is gained, attackers extract sensitive files and issue ransom demands threatening exposure of the stolen information.
This callback phishing method, also referred to as telephone-oriented attack delivery (TOAD), represents a marked evolution from previous campaigns involving fake invoice emails alone. In its latest incarnation, Luna Moth has integrated realistic helpdesk-themed domains, reputable remote access software, and real-time social engineering conversations that trick even trained staff.
The campaign’s sophistication has prompted urgent warnings from cybersecurity professionals and law enforcement alike.
Why It Matters: Luna Moth’s campaign is a reminder of how human trust can be exploited through subtle and convincing social engineering techniques. As attackers adopt increasingly convincing methods, like impersonating IT support using professional tools, law firms and other high-value targets must adapt with stronger internal training, verification protocols, and real-time detection systems. These incidents highlight that cybersecurity is no longer solely the domain of IT departments, but a firmwide responsibility.
- Blending Email and Phone in Sophisticated Attacks: Luna Moth’s primary technique involves sending deceptive emails that reference bogus subscription charges, prompting recipients to call a fake customer support line. These calls are then escalated into conversations where attackers pose as IT staff, requesting users to install remote access tools. This multi-step deception is highly effective because it mimics legitimate workflows, increasing the likelihood of compliance from employees who believe they are following internal protocols.
- Use of Legitimate Remote Access Tools to Evade Detection: Once a victim agrees to the fake support session, the attackers guide them through the installation of well-known and trusted remote access tools such as AnyDesk, Zoho Assist, Atera, or Syncro. Because these applications are commonly used in legitimate IT operations, their presence is less likely to trigger alerts from endpoint detection systems or raise suspicion among users, allowing hackers to remain unnoticed during data exfiltration.
- Rapid Escalation and Exploitation Post-Access: After successfully gaining access to a device, attackers often attempt to escalate privileges within the system. They use tools like Rclone and portable versions of WinSCP to swiftly transfer large volumes of sensitive files to external servers. If administrative access is unavailable, they adapt by deploying portable tools that require no installation, reducing the chance of being flagged by endpoint monitoring tools and increasing the speed of their operations.
- Mass Registration of Spoofed Domains for Helpdesk Deception
According to threat intelligence from Silent Push and EclecticIQ, Luna Moth has registered at least 37 spoofed domains—many through GoDaddy—designed to imitate the IT helpdesks of targeted firms. These domains often begin with the name of the target business and are crafted to appear credible to unsuspecting users. The group relies on a narrow set of registrars and nameserver providers, further suggesting a systematic infrastructure designed for sustained phishing campaigns.
- FBI Recommendations for Defensive Measures: The FBI and cybersecurity experts recommend that law firms implement multiple layers of defense, including regular phishing awareness training for staff, strict verification procedures for IT support interactions, multi-factor authentication for all user accounts, and consistent, offsite backups of critical data. Monitoring for suspicious connections involving tools like WinSCP and Rclone, and flagging unsolicited communications about IT support or subscription renewals, can help mitigate future incidents.
Cyber Alert: Law Firms Targeted by Silent Ransom Group – Oklahoma Bar Association
