Luna Moth Report
Luna Moth - a financially motivated extortion group targeting the legal sector.
Luna Moth is a financially motivated data extortion group that has quickly become one of the most active and operationally disciplined threats facing organisations in the legal and professional services sectors.
Unlike many cybercriminal groups, Luna Moth doesn’t rely on technical complexity or malware. Its power lies in social engineering and exploiting the trust that employees have in the people they believe are trying to help them.
This report by Canopius’ Threat Intelligence team looks at who Luna Moth are, how they operate and what you can do to reduce your exposure.
Aliases
First Seen
2022
Targeted Industries
- Legal Services
- Financial Services
- Professional Services
- Biotechnology
- Privacy & Security
- Government & Military
Targeted Regions
- United States of America
Campaigns & Themes
Luna Moth’s campaigns have evolved significantly since their first documented activity. What started as traditional callback phishing, using fake invoice and subscription lures to drive victims towards attacker-controlled phone numbers, has become a targeted programme of IT helpdesk impersonation and more recently in-person intrusion attempts.
The shift towards law firms is a deliberate strategy. Law firms hold some of the most sensitive and commercially valuable data of any sector: privileged client communications, transaction records and confidential case materials.
That combination of high data value and strong reputational incentive to avoid disclosure makes the sector an attractive extortion target.
Threat Actor Timeline
Since their first campaigns, Luna Moth’s lures and targets have changed but three characteristics have remained consistent across every known operation.
Attack Pattern Deep-Dive
We now know that Luna Moth’s attack chain relies heavily on user interaction and getting access to devices. We also know that initial access typically starts with phishing emails, IT helpdesk impersonation and more recently attending victim premises in-person.
But, it’s important to understand Luna Moth’s attack path so you can spot the red flags straight away.
Identifying an Attack Path
The below table outlines Luna Moth’s attack path:
| Stage | ATT&CK Technique | How Luna Moth Uses It |
|---|---|---|
| Initial Access/Reconnaissance | ReconnaissanceT1566 / T1566.004 — Phishing / Spearphishing Voice | Uses phishing emails with billing, subscription, invoice or IT-themed lures. Uses phone calls or callback phishing to speak directly with victims and impersonate support staff. |
| Execution | T1204 — User Execution | Relies on the user taking an action - joining a remote session, clicking a link or installing a remote access tool. No malware required; the victim does the work |
| Command & Control / Execution | T1219 — Remote Access Tools | Abuses legitimate remote administration tools to establish interactive access to the victim device, blending in with normal IT activity. |
| Discovery | T1083 — File and Directory Discovery | Searches the local system and accessible file paths for sensitive or high-value documents. |
| Collection | T1213 — Data from Information Repositories | Targets business repositories and collaboration platforms that may contain sensitive client, legal or operational material. |
| Exfiltration | T1567 — Exfiltration Over Web Service | Uploads stolen data to web-accessible or cloud-based services, blending outbound traffic with legitimate activity. |
| Exfiltration | T1052.001 — Exfiltration Over Physical Medium: USB | In in-person intrusion scenarios, data is copied directly to a USB device or external storage inserted into a victim workstation. |
| Impact | T1657 — Financial Theft | Uses the threat of publishing, selling, or disclosing stolen data to coerce payment. No encryption required - data exposure is the leverage. |
Mitigating the Threat
Effective defence against Luna Moth doesn’t require a security toolkit. The group succeeds because social engineering works and because organisations often lack the visibility and controls needed to detect unusual access and data movement before it’s too late.
The following controls, when well-implemented, significantly reduce exposure:
Security teams should monitor for the behavioural indicators most associated with Luna Moth activity: abnormal access to large numbers of files, unusual browsing of shared folders, access to sensitive repositories outside normal working patterns and suspicious staging or compression of files prior to transfer. Detections should be tuned to flag these patterns even where the underlying tools being used are legitimate.
Why Canopius?
As threat actors like Luna Moth appear, evolve and broaden their approach, keeping pace with the threat landscape requires more than periodic awareness. Canopius’ Threat Intelligence team serves our cyber policyholders by maintaining active visibility of the groups most likely to affect the organisations we insure, ensuring our insureds are informed, prepared, and not left behind.
About Canopius’ Threat Intelligence Function
Understanding how groups like Luna Moth operate highlights the importance of a dedicated threat intelligence function in identifying, anticipating, and mitigating cyber threats.
By analysing attack patterns and behavioural indicators, Canopius’ Threat Intelligence team is able to guide proactive defences, inform security policy and help organisations understand their specific risk profile, which in turn enables us to design the most appropriate insurance solution.
Canopius’ Threat Intelligence function is built on data collected by our dedicated cyber incident management team, supported by both premium and open-source threat intelligence feeds and platforms.
We believe that combining threat intelligence with claims data gives us an unparalleled perspective on real-world cyber risk. Embracing honesty and transparency, we use these capabilities to work closely with our clients with the aim of reducing their cyber risk and securing their digital operations.
About Canopius’ Cyber Incident Management Team
A streamlined response to a Luna Moth attack requires rapid detection, immediate containment of any unauthorised remote access and a clear communications plan, ideally before any extortion demand has been received.
Response actions should include reviewing remote access logs, identifying data that may have been accessed or exfiltrated, disabling unauthorised sessions, rotating credentials and notifying relevant legal, regulatory, client, and insurer contacts as appropriate.
Canopius’ in-house Cyber Incident Management team provides expert guidance and vendor coordination to help organisations navigate and mitigate these incidents effectively, ensuring tailored, high-quality support from the moment an event is identified.