Recently identified Luna Moth phishing operations reveal a sophisticated campaign targeting legal and financial institutions through expertly crafted typosquatted domains.
Security researchers from EclecticIQ, supported by additional findings from Silent Push, have uncovered a methodical approach to domain registration that enables cybersecurity professionals to proactively identify and track new attack infrastructure.
Since March 2025, Luna Moth (also tracked as Silent Ransom Group, UNC3753, and Storm-0252) has intensified its operations against high-value U.S. organizations.
The group has registered at least 37 domains through GoDaddy, with new intelligence suggesting the number may exceed 50 unique domains.
These domains follow a consistent naming convention, typically using patterns like [company_name]-helpdesk.com or [company_name]helpdesk.com to impersonate legitimate IT support portals.
“Luna Moth is very likely conducting high-tempo callback phishing campaigns targeting legal and financial organizations based in the United States,” according to EclecticIQ’s recent threat intelligence report.
The group has evolved beyond traditional phishing techniques that rely on malicious attachments or links, instead employing telephone-oriented attack delivery (TOAD) methods that begin with seemingly benign emails directing recipients to call fake helpdesk numbers.
AI-Powered Chatbot Deception
A particularly concerning development is Luna Moth’s weaponization of Reamaze, a legitimate customer support platform owned by GoDaddy.
The threat actors embed AI-powered chatbots into their phishing pages to simulate authentic IT helpdesk interactions.
These chatbots engage victims in real-time, guiding them toward installing remote monitoring and management (RMM) tools like AnyDesk, TeamViewer, and ScreenConnect-all legitimate software that grants attackers hands-on keyboard access without deploying malware.
Building on EclecticIQ’s research, security firm Silent Push has developed a methodology to identify newly created Luna Moth domains. Their approach utilizes specific search criteria:
Regular expression pattern ^[a-z]{1,}-help(desk){0,1}.com$ to capture helpdesk-themed domains
- GoDaddy as the registrar
- Domaincontrol.com as the nameserver provider
- Creation date filter after March 2025
This search technique has uncovered approximately 50 unique domains targeting major law firms, including recently observed examples like duanemorris-helpdesk.com, perkinscoie-helpdesk.com, and millermartin-helpdesk.com.
Luna Moth’s campaign demonstrates a clear industry focus, with legal firms accounting for 40.28% of victims, followed by financial services (23.61%) and accounting (13.89%).
After gaining access, attackers exfiltrate sensitive data using legitimate tools like WinSCP and Rclone, then demand ransoms between $1 million and $8 million USD via their dedicated leak site at business-data-leaks[.]com.
“Luna Moth’s choice of victims shows a deliberate focus on high-trust service sectors, especially legal, financial, and insurance firms, where sensitive data is widespread and closely tied to both reputation and regulatory compliance,” notes the EclecticIQ report.
Security professionals are advised to implement enhanced email security measures, educate employees about callback phishing techniques, and develop detection rules for unexpected RMM tool installations.
Organizations should also regularly monitor for new domain registrations that may target their brand using the methodology outlined by security researchers.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates
.webp?w=100&resize=100,70&ssl=1 "Top 10 Best Fraud Prevention Companies in 2025")
