Inside the Callback: Luna Moth’s Social Engineering Arsenal and the Rise of Extortion-Only Threat Models

By Security Blotter Research Desk

Anatomy of a Human-Centric Breach: From Email Lure to Full Remote Control

Introduction: Why Luna Moth Should Be on Every CISO’s Radar

The Silent Ransom Group — more widely known as Luna Moth — has emerged as a textbook case of how social engineering, abused trust, and legitimate tools can be just as dangerous as malware-laced zero-days. Since late 2022, Luna Moth has refined a callback phishing playbook that doesn’t just bypass perimeter defenses — it turns users into willing accomplices.

Their campaigns don’t drop payloads or seek privilege escalation through exploits. Instead, they orchestrate multi-step attacks using voice phishing (vishing), legitimate Remote Monitoring and Management (RMM) tools like Zoho Assist and AnyDesk, and secure file transfer utilities like WinSCP. The objective: steal sensitive data and extort the victim organization without writing a single line of malware.

Initially observed targeting legal firms, Luna Moth has expanded into higher education and healthcare — verticals rich in high-value data, complex user environments, and often decentralized IT governance. In this deep dive, we explore how the group operates, what makes their techniques effective, the sectors at greatest risk, and how defenders can intercept them at each stage of the attack chain.

Threat Actor Profile: Who is Luna Moth?

A Quiet Operator with Loud Impact

The Silent Ransom Group (SRG), also known by the more memorable moniker Luna Moth, surfaced in late 2022 and quickly carved out a unique space in the threat landscape. While most financially motivated actors lean on encryption-based ransomware, Luna Moth forgoes it entirely. Their endgame is the data itself — not destroying it, but stealing it and threatening exposure.

This group doesn’t operate in the shadows of complex malware ecosystems. Instead, they thrive in plain sight, exploiting phone lines, brand trust, and everyday software. It’s a pivot that reflects a broader trend: as backups get better and encryption loses its sting, extortion based on disclosure is becoming the go-to move for attackers looking to maintain pressure — and profits.

Motivations and Modus Operandi

Luna Moth’s strategy follows a familiar but finely tuned arc:

• Initial Contact: Phishing emails spoofing popular subscription services (like Masterclass, Duolingo, or Peloton) are used to trigger the attack. These lures don’t carry payloads — they carry phone numbers.
• Establishing Control: Victims are coaxed into calling the number. On the other end, trained operators impersonate support agents, convincing victims to install remote access software.
• Data Exfiltration: Once access is granted, attackers locate and extract sensitive files using tools like WinSCP over SFTP.
• Extortion: The final act is a demand for payment — or else the data goes public.

What stands out is their efficiency. No custom malware. No sophisticated exploit chains. Just a convincing voice and tools that IT teams themselves might use daily.

Operational Infrastructure

Luna Moth doesn’t rely on botnets or malware droppers. Instead, they invest in call center infrastructure, building live, human-driven social engineering pipelines. Each campaign appears to involve unique phone numbers and targeted execution. That investment in real-time human engagement allows them to adapt their scripts, overcome hesitations, and handle multiple “customers” simultaneously.

Who They Target — and Why

Legal, retail, higher education, and healthcare organizations have all landed in Luna Moth’s sights. The rationale is clear:

• Legal firms: Possess sensitive case files and face reputational consequences if breached.
• Universities: Store high-value research, large volumes of PII, and often operate in open-access IT environments.
• Healthcare providers: Maintain vast amounts of PHI and operate under regulatory scrutiny, increasing extortion leverage.

The group’s opportunistic behavior suggests that once inside, they’ll take whatever data they can — even if it’s not the proverbial “crown jewels.”

The Callback Phishing Chain: A Tactical Breakdown

TOAD: Telephone-Oriented Attack Delivery

At the heart of Luna Moth’s campaigns is a twist on the classic phishing approach known as TOAD — Telephone-Oriented Attack Delivery. Unlike traditional email phishing, TOAD flips the direction of engagement. Victims are lured into initiating the malicious contact, which creates two major advantages for the attacker:

1. Bypassing Email Security: No malicious links, no attachments — nothing to scan or sandbox.
2. Psychological Priming: Victims are already in a reactive mindset when they dial in, predisposed to follow instructions.

This isn’t theory. Vishing attacks surged 442% in the second half of 2024, and TOAD sits squarely in that growth curve.

Step-by-Step Exploitation

1. The Lure
   Emails impersonate known brands, warning of a charge or subscription renewal. These are pressure-based social engineering messages designed to prompt a call.
2. The Call
   Victims speak to trained attackers posing as customer support. The tone is calm, professional, and helpful. It’s a confidence game.
3. The Payload
   Instead of malware, victims are asked to install legitimate RMM software — most commonly Zoho Assist or AnyDesk. Once installed, attackers guide users into handing over control.
4. The Grab
   Attackers comb through files, often searching for documents by keyword (e.g., “confidential,” “invoice,” “SSN”). The data is then moved via WinSCP over SFTP (Port 22) to attacker-controlled servers.
5. The Demand
   Victims receive a ransom note — not to unlock systems, but to prevent a data leak. The threat: disclosure to media, customers, or regulators.

🔍 TTP Snapshot
• Tools: AnyDesk, Zoho Assist, WinSCP
• Protocols: SFTP (TCP 22)
• Infrastructure: Rotating phone numbers, Hostwinds SFTP servers
• Payload: None — just trust and urgency

Beyond the Initial Hook: Post-Exploitation Risks of RMM Abuse

Once Luna Moth secures remote access through legitimate RMM software, the real risk begins — and it goes far beyond data theft. These tools are built for deep system visibility and control. When repurposed by attackers, they become stealthy, high-permission implants that don’t trigger malware alarms.

What Can Attackers Do Once Inside?

Let’s break it down:

• File System Navigation
  Attackers use the RMM session to search and harvest documents containing financial data, PII, credentials, or IP. Search terms often include “confidential,” “SSN,” “W2,” and “client list.”
• Command Execution
  Many RMM tools allow terminal access. Luna Moth has been observed executing PowerShell and CMD commands to enumerate users, scan shares, or manipulate files.
• Exfiltration
  File transfer capabilities in tools like Zoho Assist or AnyDesk are sometimes sufficient, but Luna Moth typically installs WinSCP for structured data export over SFTP. This method blends into legitimate traffic patterns.
• Security Evasion
  Some attackers blank the screen during sessions to prevent the user from seeing file movement or configuration changes. In some cases, they attempt to disable EDR or AV tools altogether.
• Persistence
  If the user grants permanent access during installation, the tool remains as a backdoor. Additionally, attackers may create scheduled tasks, registry keys, or secondary accounts to maintain access.

This isn’t just data theft. It’s deep system compromise, conducted over a “trusted” software channel.

RMM Risk Compounded by Vendor Vulnerabilities

Even legitimate RMM tools introduce risk simply by being present:

• Zoho Assist (CVE-2024-12754): Vulnerability allowed unauthorized file access via crafted background images during session setup.
• AnyDesk (2024 Breach): Compromise of production infrastructure, code-signing certificates, and potential credential leakage. The stolen certificate could be used to sign malicious binaries that appear trusted.

These incidents demonstrate that even if Luna Moth doesn’t exploit the vulnerabilities directly, they create additional downstream risk. A user duped into installing an RMM client could later be compromised via a supply chain exploit tied to that software.

The Bigger Picture: Threat Activity, Impact, and Trendlines

Real-World Incidents and Law Enforcement Attention

Luna Moth’s campaigns are active, widespread, and growing. While many victim names remain confidential, multiple incidents have resulted in six-figure extortion payouts. The FBI issued an alert in late 2022 about callback phishing campaigns using tools like Zoho Assist, naming Luna Moth among those involved.

Industry watchers including Arctic Wolf, CrowdStrike, and DNSFilter have all documented a rise in callback phishing volumes throughout 2023 and 2024 — often linked to Luna Moth’s evolving playbook.

📈 Notable Trendline:

• 442% increase in vishing attacks reported H2 2024 (CrowdStrike)
• RMM tools and WinSCP consistently top the list of attacker-favored exfiltration methods
• Callback phishing is now an established tactic in ENISA and CISA threat landscape reports

Cost and Consequences

While Luna Moth doesn’t encrypt systems, the cost of response and reputational fallout can match — or exceed — traditional ransomware:

• Forensics and Containment: Isolating systems, auditing access, and remediating RMM persistence is labor-intensive.
• Legal and Regulatory: PII/PHI exposure may trigger GDPR, CCPA, HIPAA, or FERPA notifications and fines.
• Brand and Trust Impact: The threat of a public leak is often more damaging than a temporary lockout.
• Operational Disruption: Even without encryption, IR teams often need to take systems offline during investigations.

This is a non-encrypting threat with ransomware-level implications.

Defense in Depth: What Actually Works Against Luna Moth?

Core Controls That Make a Difference

1. RMM Governance

• Maintain a strict allowlist of authorized RMM tools.
• Use application control (e.g., AppLocker, EDR policies) to block all others.
• Require MFA and role-based access controls for all remote sessions.
• Disable unattended access by default.

Egress Filtering and SFTP Controls

• Block outbound SFTP traffic by default (TCP 22).
• Permit only pre-approved destinations for legitimate file transfer workflows.
• Monitor for anomalous file sizes, destinations, and volume spikes.

EDR/XDR Behavioral Detection

• Alert on installation or execution of AnyDesk, Zoho Assist, and WinSCP from unapproved users or paths.
• Monitor for command shells spawned by RMM sessions.
• Flag file enumeration and bulk access to sensitive directories.
• Correlate with network telemetry to catch stealthy exfiltration.

Email Filtering

• Use DMARC, SPF, and DKIM to reduce spoofed sender success.
• Train filters to detect urgent billing lures and recurring callback language.
• Extract and assess embedded phone numbers against threat intel feeds.

User Awareness: Focus on the Call, Not the Link

• Train users to verify subscription notices independently.
• Forbid installation of software based on a phone call — ever.
• Promote skepticism of “support” calls and require internal validation steps.
• Implement realistic vishing simulation campaigns targeting high-risk roles (e.g., finance, legal, HR).

Sector Spotlight: Why Higher Ed and Healthcare Are Prime Targets

The Luna Moth playbook isn’t random — it’s calibrated for sectors where human variability, sensitive data, and decentralized IT converge. Two sectors stand out for both volume of incidents and depth of impact: higher education and healthcare.

Higher Education: Openness Meets Opportunism

Why It’s Targeted

• Diverse, transient users: Faculty, staff, and students cycle through regularly. Security awareness varies wildly.
• BYOD culture: Personal devices with inconsistent controls are often allowed on institutional networks.
• Valuable data: Universities house PII, donor records, research IP, and sensitive grant information.
• Loose segmentation: Research labs, student dorms, and admin systems may share overlapping infrastructure.
• Decentralized IT: Departmental autonomy can lead to inconsistent patching and tool governance.

Risks & Impacts

• PII exposure: FERPA-protected student data, donor lists, or social security numbers may be compromised.
• IP theft: Research data leaks can result in competitive losses, grant withdrawal, or foreign IP theft.
• Reputation damage: Breaches can impact enrollment, fundraising, and faculty recruitment.
• Compliance penalties: Violations may trigger DOE, GDPR, or state-level regulatory investigations.

Targeted Mitigations

• Deploy custom awareness campaigns using education-themed lures (e.g., fake financial aid, tuition, or library fees).
• Segment networks aggressively between students, staff, and research systems.
• Centralize RMM tool approval across the institution and block department-level exceptions.
• Enforce NAC and minimum security baselines for BYOD access to sensitive systems.

Healthcare: A Perfect Storm of Pressure and Data Sensitivity

Why It’s Targeted

• High-value data: Protected Health Information (PHI) fetches a premium on underground markets.
• Regulatory exposure: HIPAA compliance violations can lead to seven-figure fines and long-term audits.
• Operational fragility: Even small IT disruptions can impact care delivery, creating intense pressure to pay ransoms.
• Legacy systems: Unpatchable or unsupported medical devices expand the attack surface.
• Vendor access: RMM tools are often used by third-party support teams and may be poorly controlled.

Risks & Impacts

• PHI breaches: Trigger costly breach notifications, OCR audits, and lawsuits.
• Patient trust erosion: Public disclosure of sensitive patient records can be devastating to brand reputation.
• Clinical disruption: System isolation during investigation can affect scheduling, record access, or billing.
• Litigation: Class-action suits from patients are increasingly common following healthcare data breaches.

Targeted Mitigations

• Lock down vendor RMM use: Require time-bound, audited access and enforce MFA and IP allowlisting.
• Conduct PHI-specific vishing training (e.g., fake insurance verifications, prescription changes).
• Encrypt PHI at rest and in transit — and ensure RMM tools cannot bypass those protections.
• Isolate IoMT and legacy devices from core infrastructure wherever possible.

Conclusion: When the Phone Call Is the Breach

Luna Moth reminds us that in 2025, the most dangerous malware might be a voice on the other end of the line.

This is an actor that:

• Operates without malware
• Bypasses technical defenses using trust
• Weaponizes IT-approved tools
• Monetizes data without encryption
• Leaves few forensic artifacts behind

For defenders, this is a worst-case adversary model. Not because of sophistication, but because of subtlety. Luna Moth campaigns don’t trip antivirus or detonate in sandboxes. They succeed because someone thought a charge looked real, picked up the phone, and followed directions.

Defeating them requires a mindset shift. Security awareness must expand beyond phishing links to include callback phishing and vishing vectors. Tool governance must evolve to treat legitimate software as potentially dangerous, depending on who’s installing it. Detection engineering must prioritize behavioral anomalies over signatures. And ultimately, organizations must build defenses that account for what attackers now know: humans are the best way in.

Action Checklist

✅ Audit all RMM tools in your environment. Block anything not explicitly approved.
✅ Restrict outbound SFTP by application and destination. Monitor port 22 for anomalies.
✅ Simulate vishing attacks regularly. Don’t wait for the real thing to test user response.
✅ Implement endpoint behavior rules for RMM activity, file transfer tools, and PowerShell use.
✅ Train users to verify phone-based support claims through official channels, not embedded contact info.
✅ Profile normal SFTP and RMM traffic to detect deviations early.
✅ Engage cross-departmental stakeholders — this threat hits IT, compliance, comms, and leadership alike.

Told you it was deep.