Luna Moth is one of the more operationally distinctive groups in the current extortion ecosystem. Unlike conventional ransomware operators who deploy encryption payloads and build out malware toolchains, Luna Moth’s intrusions are conducted primarily through social engineering and legitimate remote administration software. The group does not encrypt victim data — it steals it and threatens publication, a pure data-extortion model that has proven effective against high-value professional services firms whose clients place particular weight on confidentiality.
The group operates under several tracked designations: Luna Moth (Unit 42/Palo Alto Networks), Silent Ransom Group (various researchers), UNC3753 (Mandiant), and Chatty Spider (CrowdStrike). The activity cluster is consistent across sources.
Initial Access: Callback Phishing
Luna Moth’s primary initial access technique is callback phishing, sometimes called telephone-oriented attack delivery (TOAD). The target receives an email purporting to be from a legitimate subscription service — a software licence renewal, a legal document service, or a cloud storage provider. The email states that the target’s account will be charged imminently and includes a phone number to call for assistance.
When the target calls the number, they reach a Luna Moth operator posing as support staff. The operator’s goal is to convince the caller to install a remote access tool — typically AnyDesk, Zoho Assist, or a similar legitimate platform — under the pretext of assisting with account management, cancelling a spurious charge, or resolving a billing issue.
Once remote access is established, the operator proceeds with data discovery and exfiltration without deploying any malicious executable. The entire intrusion uses tools that appear legitimate to endpoint security: a remote access platform used by millions of IT teams, Windows built-in utilities (PowerShell, robocopy, net commands), and FTP/cloud upload tools.
Why This Defeats Most Endpoint Controls
Standard endpoint detection relies heavily on identifying malicious executables, suspicious process chains, or network connections to known C2 infrastructure. Luna Moth’s approach sidesteps all three:
- AnyDesk, Zoho Assist, and equivalent tools are not flagged malicious — they are widely used by legitimate IT departments
- The operator’s activity (file listing, data copy operations, upload) occurs through the remote session and appears as user-initiated actions
- There is no malware delivery, no exploitation of vulnerabilities, and no malicious payload to detect
- The initial compromise uses a phone call rather than a malicious link or attachment, bypassing email security and endpoint controls entirely
Detection requires anomaly-based analysis: unexpected RMM tool installation by non-IT personnel, large outbound data transfers to cloud storage services, remote access tool usage from non-standard accounts.
Jones Day Campaign
Luna Moth claimed responsibility for an intrusion at Jones Day, one of the world’s largest law firms, in 2026. The group listed Jones Day on their data leak site and published samples of the alleged stolen data as leverage. Jones Day, like most law firms that experience data incidents, has not publicly confirmed details of the breach.
Law firms are premium targets for data-extortion operations for structural reasons: attorney-client privilege creates high confidentiality obligations; clients include major corporations, financial institutions, and public figures; and the reputational and client-relationship consequences of disclosed sensitive matter data motivate payment or settlement even where the direct financial loss from data publication is moderate.
Luna Moth has targeted legal services organisations disproportionately relative to other sectors. This is not incidental — the group appears to have operationally refined their approach (scripting, pretext scenarios, technical workflow) specifically for professional services firms where the callback phishing scenario (software subscription cancellation) lands plausibly with corporate administrative staff.
Operational Characteristics
Target selection: Large professional services firms — law, accounting, financial advisory — with significant client confidentiality exposure. Luna Moth has targeted US and UK firms most prominently, with some European activity.
Ransom demands: Luna Moth demands typically range from hundreds of thousands to low millions of dollars, calibrated to the firm’s size and the sensitivity of the exfiltrated data. Demands are negotiated through encrypted messaging platforms.
Publication policy: The group maintains an active data leak site where they list victims, publish sample files, and set deadlines. Non-paying victims see progressive data releases. The publication model mirrors conventional double-extortion ransomware but without the encryption component.
Dwell time: Because the intrusion appears as legitimate remote access, dwell times can be extended — in some documented cases, weeks elapsed between initial access and the extortion demand, as the operator conducted thorough data discovery across file shares, email, and document management systems.
Tooling observed in incidents:
- AnyDesk, Zoho Assist (initial remote access)
- Windows built-ins: robocopy, xcopy, net view, net share
- Rclone (cloud sync tool used for bulk exfiltration to attacker-controlled cloud storage)
- FTP clients for secondary exfiltration channels
- No custom malware, no persistence mechanisms beyond the remote access session
Defending Against Luna Moth
Standard controls address Luna Moth less effectively than conventional ransomware. The following measures directly address their tradecraft:
RMM tool controls: Maintain an approved list of remote management tools permitted in your environment. Alert on installation of AnyDesk, TeamViewer, Zoho Assist, ScreenConnect, and equivalent tools outside IT service accounts. Block unauthorised RMM tool execution via application control policies.
Outbound data transfer monitoring: Alert on large-volume outbound transfers to cloud storage services (Dropbox, Mega, OneDrive personal accounts) and FTP destinations outside approved business use. Rclone executed by non-service accounts is an especially high-fidelity indicator.
Security awareness for callback phishing: Callback phishing success depends on staff willingness to call an attacker-supplied number and install software on instruction from a stranger. Training should specifically address: do not call numbers in unsolicited emails about billing, do not install remote access software on instruction from an inbound support call, verify through a known-good number before taking any action.
Verified callback process: Implement a policy that any request to install software from a phone call — regardless of claimed origin — requires verification through official helpdesk channels. Attackers cannot satisfy a call-back to your actual IT helpdesk.
Sensitive data egress controls: DLP controls on file shares, email attachments, and USB devices limit the data available to an operator who has established remote access. Labelling and access controls on client matter data in particular reduce the value of any successful exfiltration.
Threat Intelligence Summary
| Attribute | Detail |
|---|---|
| Designations | Luna Moth, Silent Ransom Group, UNC3753, Chatty Spider |
| First observed | 2022 |
| Motivation | Financial — pure data extortion, no encryption |
| Primary sectors | Legal, finance, professional services, healthcare |
| Initial access | Callback phishing (TOAD), telephone social engineering |
| Tooling | Legitimate RMM tools (AnyDesk, Zoho Assist), Rclone |
| Geographic focus | US, UK, Europe |
| Typical demand range | $250,000 – $3,000,000+ |
| Notable targets | Jones Day, multiple legal and financial firms |