LIVE
LATEST THREAT: Space Bears: The Data Extortion Group With a Corporate Aesthetic and MSSQL Focus THREAT ALERT ACTIVE
Intelligence DB / Group Profile Luna Moth

Luna Moth / Silent Ransom Group: Callback Phishing, No Malware, and the Jones Day Breach

Luna Moth (also known as Silent Ransom Group and UNC3753) runs a ransomware-adjacent extortion operation with an unusual differentiator: no malware. Their intrusions use social engineering and legitimate remote access tools, leaving endpoint security largely blind. A recent campaign against legal giant Jones Day illustrates why legal and professional services firms remain their primary target.

By Ransomware Tracker ·
Luna-MothSilent-Ransom-Groupcallback-phishingvishingsocial-engineeringdata-extortionlegalprofessional-servicesUNC3753
Threat Level
8/10
Sectors Targeted
legal
finance
professional-services
healthcare
Ransomware Family
Luna Moth

Luna Moth is one of the more operationally distinctive groups in the current extortion ecosystem. Unlike conventional ransomware operators who deploy encryption payloads and build out malware toolchains, Luna Moth’s intrusions are conducted primarily through social engineering and legitimate remote administration software. The group does not encrypt victim data — it steals it and threatens publication, a pure data-extortion model that has proven effective against high-value professional services firms whose clients place particular weight on confidentiality.

The group operates under several tracked designations: Luna Moth (Unit 42/Palo Alto Networks), Silent Ransom Group (various researchers), UNC3753 (Mandiant), and Chatty Spider (CrowdStrike). The activity cluster is consistent across sources.

Initial Access: Callback Phishing

Luna Moth’s primary initial access technique is callback phishing, sometimes called telephone-oriented attack delivery (TOAD). The target receives an email purporting to be from a legitimate subscription service — a software licence renewal, a legal document service, or a cloud storage provider. The email states that the target’s account will be charged imminently and includes a phone number to call for assistance.

When the target calls the number, they reach a Luna Moth operator posing as support staff. The operator’s goal is to convince the caller to install a remote access tool — typically AnyDesk, Zoho Assist, or a similar legitimate platform — under the pretext of assisting with account management, cancelling a spurious charge, or resolving a billing issue.

Once remote access is established, the operator proceeds with data discovery and exfiltration without deploying any malicious executable. The entire intrusion uses tools that appear legitimate to endpoint security: a remote access platform used by millions of IT teams, Windows built-in utilities (PowerShell, robocopy, net commands), and FTP/cloud upload tools.

Why This Defeats Most Endpoint Controls

Standard endpoint detection relies heavily on identifying malicious executables, suspicious process chains, or network connections to known C2 infrastructure. Luna Moth’s approach sidesteps all three:

  • AnyDesk, Zoho Assist, and equivalent tools are not flagged malicious — they are widely used by legitimate IT departments
  • The operator’s activity (file listing, data copy operations, upload) occurs through the remote session and appears as user-initiated actions
  • There is no malware delivery, no exploitation of vulnerabilities, and no malicious payload to detect
  • The initial compromise uses a phone call rather than a malicious link or attachment, bypassing email security and endpoint controls entirely

Detection requires anomaly-based analysis: unexpected RMM tool installation by non-IT personnel, large outbound data transfers to cloud storage services, remote access tool usage from non-standard accounts.

Jones Day Campaign

Luna Moth claimed responsibility for an intrusion at Jones Day, one of the world’s largest law firms, in 2026. The group listed Jones Day on their data leak site and published samples of the alleged stolen data as leverage. Jones Day, like most law firms that experience data incidents, has not publicly confirmed details of the breach.

Law firms are premium targets for data-extortion operations for structural reasons: attorney-client privilege creates high confidentiality obligations; clients include major corporations, financial institutions, and public figures; and the reputational and client-relationship consequences of disclosed sensitive matter data motivate payment or settlement even where the direct financial loss from data publication is moderate.

Luna Moth has targeted legal services organisations disproportionately relative to other sectors. This is not incidental — the group appears to have operationally refined their approach (scripting, pretext scenarios, technical workflow) specifically for professional services firms where the callback phishing scenario (software subscription cancellation) lands plausibly with corporate administrative staff.

Operational Characteristics

Target selection: Large professional services firms — law, accounting, financial advisory — with significant client confidentiality exposure. Luna Moth has targeted US and UK firms most prominently, with some European activity.

Ransom demands: Luna Moth demands typically range from hundreds of thousands to low millions of dollars, calibrated to the firm’s size and the sensitivity of the exfiltrated data. Demands are negotiated through encrypted messaging platforms.

Publication policy: The group maintains an active data leak site where they list victims, publish sample files, and set deadlines. Non-paying victims see progressive data releases. The publication model mirrors conventional double-extortion ransomware but without the encryption component.

Dwell time: Because the intrusion appears as legitimate remote access, dwell times can be extended — in some documented cases, weeks elapsed between initial access and the extortion demand, as the operator conducted thorough data discovery across file shares, email, and document management systems.

Tooling observed in incidents:

  • AnyDesk, Zoho Assist (initial remote access)
  • Windows built-ins: robocopy, xcopy, net view, net share
  • Rclone (cloud sync tool used for bulk exfiltration to attacker-controlled cloud storage)
  • FTP clients for secondary exfiltration channels
  • No custom malware, no persistence mechanisms beyond the remote access session

Defending Against Luna Moth

Standard controls address Luna Moth less effectively than conventional ransomware. The following measures directly address their tradecraft:

RMM tool controls: Maintain an approved list of remote management tools permitted in your environment. Alert on installation of AnyDesk, TeamViewer, Zoho Assist, ScreenConnect, and equivalent tools outside IT service accounts. Block unauthorised RMM tool execution via application control policies.

Outbound data transfer monitoring: Alert on large-volume outbound transfers to cloud storage services (Dropbox, Mega, OneDrive personal accounts) and FTP destinations outside approved business use. Rclone executed by non-service accounts is an especially high-fidelity indicator.

Security awareness for callback phishing: Callback phishing success depends on staff willingness to call an attacker-supplied number and install software on instruction from a stranger. Training should specifically address: do not call numbers in unsolicited emails about billing, do not install remote access software on instruction from an inbound support call, verify through a known-good number before taking any action.

Verified callback process: Implement a policy that any request to install software from a phone call — regardless of claimed origin — requires verification through official helpdesk channels. Attackers cannot satisfy a call-back to your actual IT helpdesk.

Sensitive data egress controls: DLP controls on file shares, email attachments, and USB devices limit the data available to an operator who has established remote access. Labelling and access controls on client matter data in particular reduce the value of any successful exfiltration.

Threat Intelligence Summary

AttributeDetail
DesignationsLuna Moth, Silent Ransom Group, UNC3753, Chatty Spider
First observed2022
MotivationFinancial — pure data extortion, no encryption
Primary sectorsLegal, finance, professional services, healthcare
Initial accessCallback phishing (TOAD), telephone social engineering
ToolingLegitimate RMM tools (AnyDesk, Zoho Assist), Rclone
Geographic focusUS, UK, Europe
Typical demand range$250,000 – $3,000,000+
Notable targetsJones Day, multiple legal and financial firms
// Related Intelligence
Group Profile

Space Bears: The Data Extortion Group With a Corporate Aesthetic and MSSQL Focus

Group Profile

Underground Ransomware: Group Profile

Group Profile

Termite Ransomware: Group Profile, Babuk Origins, and High-Impact Supply Chain Targeting