
List of RMM tools abused by Luna Moth threat actor.
Phishing call attacks have once again drawn the attention of cybersecurity experts. This time, the group known as Luna Moth—also referred to as Silent Ransom Group—has resurfaced, targeting the internal systems of legal and financial institutions across the United States. Their objective is to gain unauthorized access and extort victims under the threat of data leaks. The latest wave of attacks began in March 2025 and showcases a sophisticated use of social engineering, notably without the deployment of malicious software.
The attack scenario is built around impersonating technical support services. Victims receive emails instructing them to contact a purported corporate IT department. Once the call is made, the attackers persuade the targets to install legitimate remote access tools such as AnyDesk, Atera, Syncro, Zoho Assist, Splashtop, and others. These applications are digitally signed and typically evade detection by security systems. Upon establishing a connection, the attackers gain direct access to the workstation, allowing them to browse system contents, network drives, and other connected devices within the infrastructure.
According to EclecticIQ, the attackers utilize deceptive domains designed to closely resemble authentic support service addresses. At least 37 such domains, registered through GoDaddy, have been identified. Most employ fabricated names incorporating keywords like “helpdesk” or “support” linked to specific organizations, enabling them to convincingly impersonate internal departments and deceive employees.
Once access is secured, the attackers exfiltrate data to their own servers using tools such as WinSCP and Rclone. Victims are then issued ransom demands accompanied by threats to publish the stolen information on Luna Moth’s public leak site. EclecticIQ reports that ransom demands range from one to eight million dollars, depending on the sensitivity and volume of the compromised data.
What makes these attacks particularly insidious is the absence of malicious attachments or infected links. All interactions occur through legitimate channels, and the software installation is performed willingly by the users under the guise of receiving assistance. This approach significantly complicates detection and highlights the need for organizations to reassess internal security policies. Recommended countermeasures include disabling unused remote monitoring and management (RMM) tools and blacklisting known phishing domains.