The FBI has issued a new warning to US law firms about an ongoing and increasingly aggressive phishing campaign orchestrated by the cybercriminal group Luna Moth.
Also known as Silent Ransom Group (SRG), Chatty Spider, and UNC3753, this group has shifted gears in its attack methods, now actively calling targets and impersonating IT personnel to trick them into handing over system access.
Luna Moth has been active since at least 2022 and first gained attention for using a technique known as callback phishing, a method where victims receive phishing emails pretending to be billing notices or subscription charges. To cancel these fake subscriptions, victims are urged to call a phone number, where the attacker convinces them to install a remote access tool.
Hackers are no longer just emailing… they’re calling your office, too
The FBI notes in its advisory that as of March 2025, SRG actors have started calling employees at law firms and pretending to be from the company’s IT department.
The attacker then guides the employee to a website or sends them an email with a link to start a remote access session. Once access is granted, they claim maintenance or updates must be performed “overnight,” allowing them to steal sensitive files without raising alarms.
“Once in the victim’s device, a typical SRG attack involves minimal privilege escalation and quickly pivots to data exfiltration conducted through ‘WinSCP’ (Windows Secure Copy) or a hidden or renamed version of ‘Rclone,’” the FBI wrote.
While Luna Moth has targeted several industries, the FBI reports that US-based law firms have become a prime target since spring 2023, likely due to the valuable and confidential data they handle. That includes client records, litigation strategies, contracts, and communications. This is information that, if leaked, could have severe legal and financial consequences.
Why the hackers are difficult to detect
One reason this campaign is dangerous is that the attackers leave very few digital footprints and use legitimate software tools used by real IT departments, such as Zoho Assist, AnyDesk, Syncro, Splashtop, and Atera. Traditional antivirus systems usually fail to detect suspicious activity due to this.
Some warning signs the FBI says to watch out for:
- Unexpected downloads of remote access tools.
- Connections from WinSCP or Rclone to outside networks.
- Emails about subscription renewals with a phone number to call.
- Voicemails or phone calls from unknown parties claiming your data has been stolen.
- Calls from people pretending to be from your IT department.
What the FBI recommends
To circumvent these attacks, the FBI urges companies, especially law firms, to strengthen their cybersecurity practices:
- Train staff regularly to spot phishing and suspicious calls.
- Ensure employees are aware of how the IT department can be contacted.
- Enable two-factor authentication across all systems.
- Maintain regular backups of sensitive data.
- Be cautious of unusual downloads, remote access tools, or sudden file transfers to unfamiliar IP addresses.
The FBI is also asking organizations that have been targeted or compromised by Luna Moth to report the incident and share details such as ransom notes, phishing emails, cryptocurrency wallet addresses, and phone numbers used by the attackers.
