Luna Moth group extorts from victims without ransomware payloads

Luna Moth Hacking Group Extortion Ransomware Payloads Social Engineering Phishing Fraud Prevention

A new ransom group dubbed Luna Moth is said to have been utilising social engineering tactics, remote access trojans (RATs), and other legitimate commercially available software to be able to hack into their victims’ computers and extort ransom payments in exchange for their data.

According to the reports published about Luna Moth, its operators execute ransom attacks without ransomware payloads since they only use a classic phishing campaign that allows them to infiltrate the victims’ system to steal their data.


The phishing campaign performed by the Luna Moth ransom group involves a well-orchestrated social engineering tactic.


Initially, the ransom group sends the phishing email to their targets about an invoice requesting payment for a specific subscription. It also attaches a PDF doc containing a contact number, suggesting the victims call for more details about the concern.

As the victims decide to call the provided mobile number, likely to inquire about the unclear invoice, the threat actor would immediately answer. Using a social engineering tactic, the threat actor would trick the victim into installing a malicious RAT called ‘Atera’ which would allow them to take control over the victim’s device.

Moreover, from the researchers’ observations, they noticed that the Luna Moth ransom group exploits standard remote admin software such as AnyDesk, TeamViewer, Splashtop, and Syncro to take over victims’ devices.

The group also utilises other tools in their campaign, such as Rclone, an open-source command-line computer program, to hack into the devices and steal sensitive data.

Once inside the compromised machines, the tools used by Luna Moth in their attack are hidden and disguised as legitimate software or tools so that they could bypass detection. The researchers also added that the RATs, alongside the tools used in the campaign, aid the ransom group in conducting basic reconnaissance activities successfully, infiltrating more of the victims’ assets, and stealing data from the compromised networks.

About the author

Leave a Reply