Authorities have issued an alert to law firms about Luna Moth (also known as Silent Ransom Group, Chatty Spider and Storm-0252), an extortion gang that has been running sophisticated “callback phishing” attacks since 2022. Victims first receive innocuous emails—often about fake invoices or subscription renewals—asking them to telephone a customer-service number. Once on the call, the attackers persuade staff to install legitimate remote-access tools such as Zoho Assist, AnyDesk or Splashtop. The criminals then steal sensitive data with utilities like WinSCP or Rclone and threaten to publish it unless a ransom is paid.

From March 2025 the gang changed tack: instead of waiting for callbacks, they phone employees directly while pretending to be in-house IT, again shepherding them into a remote-desktop session. EclecticIQ reports that Luna Moth registered at least 37 new “helpdesk” domains in March, most of them mimicking the targets’ own support portals.
The FBI urges organisations to watch for:
• Unsolicited calls from supposed IT staff
• Emails about subscription cancellations that contain phone numbers
• Outbound WinSCP or Rclone connections to unknown IPs

Luna Moth is back on the phone, and this time the cyber-crooks have law firms squarely in their sights. Authorities warn that the gang—also known as Silent Ransom Group—has spent the past two years perfecting “callback phishing”, a scam that starts with a harmless-looking email and ends with a full-blown data breach.

How the scam works
1. The lure – You receive an email about a subscription you’ve “forgotten” to cancel.
2. The call – Worried, you phone the customer-service number in the message.
3. The install – A polite operator asks you to load a remote-access tool so they can “help”.
4. The theft – Once inside, criminals copy your files and demand payment to keep them quiet.
Since March 2025 the crooks have gone one step further, phoning employees first and pretending to be the company’s own IT team.

Why your security tools may miss it
The attackers rely on genuine software—Zoho Assist, AnyDesk, Splashtop, WinSCP, Rclone—so antivirus and EDR platforms often treat the activity as normal system administration.

Red flags to watch for
• Unsolicited calls claiming to be “IT support”
• Emails about urgent subscription renewals that include a phone number
• Sudden outbound traffic from WinSCP or Rclone to unknown servers
• Newly registered domains that blend your company name with “-helpdesk” or “-support”

What to do now
• Train staff to verify any IT request through an internal number they know.
• Block unapproved remote-desktop software.
• Log and alert on Rclone or WinSCP traffic leaving the network.
Monitor domain registrations that spoof your brand.