Luna Moth Report

Luna Moth - a financially motivated extortion group targeting the legal sector.

Luna Moth is a financially motivated data extortion group that has quickly become one of the most active and operationally disciplined threats facing organisations in the legal and professional services sectors.

Unlike many cybercriminal groups, Luna Moth doesn’t rely on technical complexity or malware. Its power lies in social engineering and exploiting the trust that employees have in the people they believe are trying to help them.

This report by Canopius’ Threat Intelligence team looks at who Luna Moth are, how they operate and what you can do to reduce your exposure.

canopius-image-block-cyber-report-pages-luna-moth

Aliases

Silent Ransom Group (SRG), Chatty Spider, UNC3753, TG2729, Storm-0252

First Seen

2022

Targeted Industries

  • Legal Services
  • Financial Services
  • Professional Services
  • Biotechnology
  • Privacy & Security
  • Government & Military

Targeted Regions

  • United States of America

Campaigns & Themes

Luna Moth’s campaigns have evolved significantly since their first documented activity. What started as traditional callback phishing, using fake invoice and subscription lures to drive victims towards attacker-controlled phone numbers, has become a targeted programme of IT helpdesk impersonation and more recently in-person intrusion attempts.

The shift towards law firms is a deliberate strategy. Law firms hold some of the most sensitive and commercially valuable data of any sector: privileged client communications, transaction records and confidential case materials.

That combination of high data value and strong reputational incentive to avoid disclosure makes the sector an attractive extortion target.

Threat Actor Timeline

Initial activity used fake invoice and subscription alerts to drive victims to attacker-controlled phone numbers, where actors posed as billing or support agents to get remote access.
Campaigns evolved into direct IT support impersonation via phone and phishing email, persuading employees to install remote access tools or join remote sessions, giving actors interactive access to victim systems without deploying any malware.
Intelligence sources confirm a deliberate pivot toward law firms, driven by the high value of privileged data and the leverage it provides in extortion negotiations.
The FBI reported that Luna Moth actors had attended victim premises while posing as IT support, trying to gain physical access to workstations and insert USB devices to extract data directly.

Since their first campaigns, Luna Moth’s lures and targets have changed but three characteristics have remained consistent across every known operation.

Every Luna Moth attack is based on human deception. Whether via phishing email, callback phone call or in-person impersonation, the group exploits trust rather than technical vulnerabilities. Employees are the primary target.
Luna Moth doesn’t deploy custom malware. Instead it uses legitimate remote monitoring and management tools that are already trusted by security controls. This makes malicious activity hard to detect and easy to dismiss as routine IT work.
Unlike ransomware operators, Luna Moth’s leverage is the threat of data exposure, not system disruption. Victim organisations face reputational, regulatory and client relationship risks, often making payment feel like the path of least resistance.

Attack Pattern Deep-Dive

We now know that Luna Moth’s attack chain relies heavily on user interaction and getting access to devices. We also know that initial access typically starts with phishing emails, IT helpdesk impersonation and more recently attending victim premises in-person.

But, it’s important to understand Luna Moth’s attack path so you can spot the red flags straight away.

Identifying an Attack Path

The below table outlines Luna Moth’s attack path:

StageATT&CK TechniqueHow Luna Moth Uses It
Initial Access/ReconnaissanceReconnaissanceT1566 / T1566.004 — Phishing / Spearphishing VoiceUses phishing emails with billing, subscription, invoice or IT-themed lures. Uses phone calls or callback phishing to speak directly with victims and impersonate support staff.
ExecutionT1204 — User ExecutionRelies on the user taking an action - joining a remote session, clicking a link or installing a remote access tool. No malware required; the victim does the work
Command & Control / ExecutionT1219 — Remote Access ToolsAbuses legitimate remote administration tools to establish interactive access to the victim device, blending in with normal IT activity.
DiscoveryT1083 — File and Directory DiscoverySearches the local system and accessible file paths for sensitive or high-value documents.
CollectionT1213 — Data from Information RepositoriesTargets business repositories and collaboration platforms that may contain sensitive client, legal or operational material.
ExfiltrationT1567 — Exfiltration Over Web ServiceUploads stolen data to web-accessible or cloud-based services, blending outbound traffic with legitimate activity.
ExfiltrationT1052.001 — Exfiltration Over Physical Medium: USBIn in-person intrusion scenarios, data is copied directly to a USB device or external storage inserted into a victim workstation.
ImpactT1657 — Financial TheftUses the threat of publishing, selling, or disclosing stolen data to coerce payment. No encryption required - data exposure is the leverage.

Mitigating the Threat

Effective defence against Luna Moth doesn’t require a security toolkit. The group succeeds because social engineering works and because organisations often lack the visibility and controls needed to detect unusual access and data movement before it’s too late.

The following controls, when well-implemented, significantly reduce exposure:

Employees should be trained to treat unexpected IT support calls, remote access requests, subscription alerts and invoice-related emails as suspicious. Internal IT teams should have a clearly defined and well-communicated process for contacting users and employees should be encouraged to verify any support request through a known internal channel before granting access or following instructions. Luna Moth’s success depends on employees not questioning the legitimacy of what they are being asked to do.
Organisations should have an approved list of remote access and remote monitoring and management tools, blocking or alerting on any tool not included. Any new use of remote administration software should trigger a review, particularly where it’s initiated by a non-IT user or shortly after a suspicious email or phone call.
Access to shared drives, document repositories, and cloud storage should be limited to users with a clear business need. Sensitive legal, client, financial, and operational material shouldn’t be broadly accessible by default. Luna Moth actors typically move quickly, so limiting what they can reach significantly reduces the damage they can do and the leverage they can gain.

Security teams should monitor for the behavioural indicators most associated with Luna Moth activity: abnormal access to large numbers of files, unusual browsing of shared folders, access to sensitive repositories outside normal working patterns and suspicious staging or compression of files prior to transfer. Detections should be tuned to flag these patterns even where the underlying tools being used are legitimate.

Organisations should monitor or restrict large outbound transfers to personal cloud storage, file-sharing services, and unusual web destinations. Where possible, DLP rules should be applied to sensitive document types, client data, and regulated information. The goal isn’t just detection, it’s making large-scale exfiltration slow, visible and difficult to complete without triggering an alert.
Given the FBI’s Spring 2026 advisory regarding in-person intrusion attempts, organisations should review their removable media policies. Where business need is limited, USB use should be blocked or restricted. Where use is required, device connections, file transfers and use of removable media on sensitive systems should be logged. Physical security controls such as ID verification, visitor management and access restrictions for unaccompanied individuals, should also be put in place.
Many incident response plans are written with ransomware and system encryption in mind. Luna Moth attacks don’t follow that pattern. Response plans should explicitly cover data extortion scenarios where systems remain operational but data has been compromised. Relevant actions include preserving evidence, reviewing remote access activity, identifying data accessed or exfiltrated, disabling unauthorised sessions, rotating credentials, and preparing legal, regulatory, client, and insurer notifications.
Awareness training should include realistic examples of callback phishing, fake helpdesk calls, remote support scams, and suspicious IT requests. Users should know how to identify these scenarios as well as how and where to report them quickly. Physical security awareness, including how to challenge unknown individuals claiming to be IT personnel, should also be taught, particularly for organisations in higher-risk sectors.

Why Canopius?

As threat actors like Luna Moth appear, evolve and broaden their approach, keeping pace with the threat landscape requires more than periodic awareness. Canopius’ Threat Intelligence team serves our cyber policyholders by maintaining active visibility of the groups most likely to affect the organisations we insure, ensuring our insureds are informed, prepared, and not left behind.

canopius-image-block-cyber-reports-scattered-spider

About Canopius’ Threat Intelligence Function

Understanding how groups like Luna Moth operate highlights the importance of a dedicated threat intelligence function in identifying, anticipating, and mitigating cyber threats.

By analysing attack patterns and behavioural indicators, Canopius’ Threat Intelligence team is able to guide proactive defences, inform security policy and help organisations understand their specific risk profile, which in turn enables us to design the most appropriate insurance solution.

Canopius’ Threat Intelligence function is built on data collected by our dedicated cyber incident management team, supported by both premium and open-source threat intelligence feeds and platforms.

We believe that combining threat intelligence with claims data gives us an unparalleled perspective on real-world cyber risk. Embracing honesty and transparency, we use these capabilities to work closely with our clients with the aim of reducing their cyber risk and securing their digital operations.

About Canopius’ Cyber Incident Management Team

A streamlined response to a Luna Moth attack requires rapid detection, immediate containment of any unauthorised remote access and a clear communications plan, ideally before any extortion demand has been received.

Response actions should include reviewing remote access logs, identifying data that may have been accessed or exfiltrated, disabling unauthorised sessions, rotating credentials and notifying relevant legal, regulatory, client, and insurer contacts as appropriate.

Canopius’ in-house Cyber Incident Management team provides expert guidance and vendor coordination to help organisations navigate and mitigate these incidents effectively, ensuring tailored, high-quality support from the moment an event is identified.

Staff Bio Content