{
	"id": "c184ef5c-37ab-4e2c-bfaa-dadc4de78c50",
	"created_at": "2026-04-06T00:14:49.168611Z",
	"updated_at": "2026-04-10T13:12:17.594879Z",
	"deleted_at": null,
	"sha1_hash": "3d8ed2f90490413e87299ae2c598e99582599047",
	"title": "Threat Assessment: Luna Moth Callback Phishing Campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 991052,
	"plain_text": "Threat Assessment: Luna Moth Callback Phishing Campaign\r\nBy Kristopher Russo\r\nPublished: 2022-11-21 · Archived: 2026-04-05 15:01:06 UTC\r\nExecutive Summary\r\nUnit 42 investigated several incidents related to the Luna Moth/Silent Ransom Group callback phishing extortion\r\ncampaign targeting businesses in multiple sectors including legal and retail. This campaign leverages extortion\r\nwithout encryption, has cost victims hundreds of thousands of dollars and is expanding in scope.\r\nBy design, this style of social engineering attack leaves very few artifacts because of the use of legitimate trusted\r\ntechnology tools to carry out attacks. However, Unit 42 has identified several common indicators implying that\r\nthese attacks are the product of a single highly organized campaign. This threat actor has significantly invested in\r\ncall centers and infrastructure that’s unique to each victim.\r\nCybersecurity awareness training is the most effective defense against these stealthy and discreet attacks.\r\nHowever, Palo Alto Networks customers receive protection from the attacks discussed in this blog through the\r\nNext-Generation Firewall and Cortex XDR detecting data exfiltration or connections to suspicious networks.\r\nWhat Is Callback Phishing?\r\nCallback phishing, also referred to as telephone-oriented attack delivery (TOAD), is a social engineering attack\r\nthat requires a threat actor to interact with the target to accomplish their objectives. This attack style is more\r\nresource intensive, but less complex than script-based attacks, and it tends to have a much higher success rate.\r\nIn the past, threat actors associated with the Conti group have had great success with this attack style in the\r\nBazarCall campaign. Unit 42 has been tracking these types of attacks since 2021. Early iterations of this attack\r\nfocused on tricking the victim into downloading the BazarLoader malware using documents with malicious\r\nmacros.\r\nThis new campaign, which Sygnia has attributed to a threat actor dubbed \"Luna Moth,\" does away with the\r\nmalware portion of the attack. In this campaign, attackers use legitimate and trusted systems management tools to\r\ninteract directly with a victim’s computer, to manually exfiltrate data to be used for extortion. As these tools are\r\nnot malicious, they’re not likely to be flagged by traditional antivirus products.\r\nPlease note that the tools named in this post are legitimate. Threat actors often abuse, take advantage of or subvert\r\nlegitimate products for malicious purposes. This does not imply a flaw or malicious quality to the legitimate\r\nproduct being abused.\r\nThe Typical Callback Phishing Attack Chain\r\nhttps://unit42.paloaltonetworks.com/luna-moth-callback-phishing/\r\nPage 1 of 8\n\nThe initial lure of this campaign is a phishing email to a corporate email address with an attached invoice\r\nindicating the recipient’s credit card has been charged for a service, usually for an amount under $1,000. People\r\nare less likely to question strange invoices when they are for relatively small amounts. However, if people targeted\r\nby these types of attacks reported these invoices to their organization’s purchasing department, the organization\r\nmight be better able to spot the attack, particularly if a number of individuals report similar messages.\r\nThe phishing email is personalized to the recipient, contains no malware and is sent using a legitimate email\r\nservice. These phishing emails also have an invoice attached as a PDF file. These features make a phishing email\r\nless likely to be intercepted by most email protection platforms.\r\nThe attached invoice includes a unique ID and phone number, often written with extra characters or formatting to\r\nprevent data loss prevention (DLP) platforms from recognizing it. When the recipient calls the number, they are\r\nrouted to a threat actor-controlled call center and connected to a live agent.\r\nUnder the guise of canceling the subscription, the threat actor agent guides the caller through downloading and\r\nrunning a remote support tool to allow the attacker to manage the victim’s computer. This step usually generates\r\nanother email from the tool’s vendor to the victim with a link to start the support session.\r\nThe attacker then downloads and installs a remote administration tool that allows them to achieve persistence. If\r\nthe victim does not have administrative rights on their computer, the attacker will skip this step and move directly\r\nto finding files for exfiltration.\r\nThe attacker will then seek to identify valuable information on the victim’s computer and connected file shares,\r\nand they will quietly exfiltrate it to a server they control using a file transfer tool.\r\nIn this way, the threat actor is able to compromise organizational assets through a social engineering attack on an\r\nindividual.\r\nAfter the data is stolen, the attacker sends an extortion email demanding victims pay a fee or else the attacker will\r\nrelease the stolen information. If the victim does not establish contact with the attackers, they will follow up with\r\nmore aggressive demands. Ultimately, attackers will threaten to contact victims’ customers and clients identified\r\nthrough the stolen data, to increase the pressure to comply.\r\nLuna Moth Campaign Analysis\r\nUnit 42 has responded to multiple cases related to a single campaign that occurred from mid-May to late October\r\n2022. ADVIntel attributes this campaign to a threat actor dubbed Silent Ransom with ties to Conti. While Unit 42\r\ncannot confirm Silent Ransom’s tie to Conti at this time, we are monitoring this closely for attribution.\r\nThese cases show a clear evolution of tactics that suggests the threat actor is continuing to improve the efficiency\r\nof their attack. Cases analyzed at the beginning of the campaign targeted individuals at small- and medium-sized\r\nbusinesses in the legal industry. In contrast, cases later in the campaign indicate a shift in victimology to include\r\nindividuals at larger targets in the retail sector.\r\nDuring the initial campaign, the phishing email frequently originated from an address using the format\r\nFirstName.LastName.[SpoofedBusiness]@gmail[.]com as seen in Figure 1. The attacker often spoofs the names\r\nhttps://unit42.paloaltonetworks.com/luna-moth-callback-phishing/\r\nPage 2 of 8\n\nof obscure athletes for these email addresses.\r\nUnit 42 has also observed emails with the format [RandomWords]@outlook[.]co.th.\r\nFigure 1. Redacted phishing email.\r\nThe wording in the body of the phishing email has changed throughout the campaign. This was likely done to\r\nthwart email protection platforms. Regardless of what wording was used, the email always indicated the victim is\r\nresponsible for the charges detailed in the attached invoice.\r\nPDF documents containing an invoice number were attached to the phishing emails. Unit 42 observed fake\r\ninvoices spoofing both an online class platform and a health club aggregator in this campaign.\r\nEarly incidents used a logo from one of the spoofed businesses at the top of the invoice. Later cases replaced this\r\nwith the simple header welcoming the target to the second spoofed business on a plain blue background, as shown\r\nin Figure 2. Each invoice features a nine- or 10-digit confirmation number near the top, which is also incorporated\r\ninto the filename. When the recipient contacts the threat actor, this confirmation number is used to identify them.\r\nhttps://unit42.paloaltonetworks.com/luna-moth-callback-phishing/\r\nPage 3 of 8\n\nhttps://unit42.paloaltonetworks.com/luna-moth-callback-phishing/\r\nPage 4 of 8\n\nFigure 2. Redacted fake invoice.\r\nEarly iterations of the extortion campaign recycled phone numbers, but later attacks either used a unique phone\r\nnumber per victim, or victims would be presented with a large pool of available phone numbers in the invoice.\r\nThe attacker registered all of the numbers they used via a Voice over IP (VoIP) provider. When the victim called\r\none of the attacker’s numbers, they were placed into a queue and eventually connected with an agent who sent a\r\nremote assist invitation for the remote support tool Zoho Assist.\r\nThe footer of these invitation emails (shown in Figure 3) revealed the email address the threat actor used to\r\nregister with Zoho. In most incidents, the attacker chose an address from an encrypted email service provider to\r\nmasquerade as the same vendor used in the fake invoice.\r\nhttps://unit42.paloaltonetworks.com/luna-moth-callback-phishing/\r\nPage 5 of 8\n\nFigure 3. Redacted remote assistance invitation.\r\nOnce the victim connected to the session, the attacker took control of their keyboard and mouse, enabled clipboard\r\naccess, and blanked out the screen to hide their actions.\r\nOnce the attacker blanked the screen, they installed remote support software Syncro for persistence and open\r\nsource file management tools Rclone or WinSCP for exfiltration. Early cases also included remote management\r\ntools Atera and Splashtop, but recently the attacker appears to have tightened their toolset.\r\nIn cases where the victim did not have administrative rights to their operating system, the attacker skipped\r\ninstalling software to establish persistence. Attackers instead downloaded and executed WinSCP Portable, which\r\ndoes not require administrative privileges and is able to run within the user’s security context.\r\nIn cases where the attacker established persistence, exfiltration occurred hours to weeks after initial contact.\r\nOtherwise, the attacker only exfiltrated what they could during the call. The attacker exfiltrated data shortly before\r\nthe attack.\r\nThe domains used early in the campaign were random words with a top-level domain (TLD) of .xyz. Later in the\r\ncampaign, domains consistently followed the format of [5 letters].xyz. All observed domains fell into the\r\n192.236.128[.]0/17 network range.\r\nExfiltration was followed with an extortion email, as shown in Figure 4. Like in other templates used in this\r\ncampaign, the wording and format in the extortion email has evolved over time. In the cases Unit 42 investigated,\r\nthe attacker claimed to have exfiltrated data in amounts ranging from a few gigabytes to over a terabyte.\r\nFigure 4. Redacted extortion email.\r\nhttps://unit42.paloaltonetworks.com/luna-moth-callback-phishing/\r\nPage 6 of 8\n\nThe threat actor created unique Bitcoin wallets for each victim’s extortion payments. These wallets contained only\r\ntwo or three transactions and were emptied immediately after funding.\r\nAttacker’s monetary demands ranged from 2-78 BTC. They researched the target organization’s revenue and used\r\nit to justify this extortion amount. However, attackers were quick to offer discounts of approximately 25% for\r\nprompt payment.\r\nPaying the attacker did not guarantee they would follow through with their promises. At times they stopped\r\nresponding after confirming they had received payment, and did not follow through with negotiated commitments\r\nto provide proof of deletion.\r\nPrevention and Detection\r\nThe threat actors behind this campaign have taken great pains to avoid all non-essential tools and malware, to\r\nminimize the potential for detection. Since there are very few early indicators that a victim is under attack,\r\nemployee cybersecurity awareness training is the first line of defense.\r\nPeople should always be cautious of messages that invoke fear or a sense of urgency. Do not respond directly to\r\nsuspicious invoices. Contact the requester directly via the channels made available on the vendor’s official\r\nwebsite. People should also consult internal support channels before downloading or installing software on their\r\ncorporate computers.\r\nThe second line of defense against this attack type is a robust security technology stack designed to detect\r\nbehavioral anomalies in the environment. Palo Alto Networks customers receive protection from the attacks\r\ndiscussed in this blog through the Next-Generation Firewall and Cortex XDR detecting data exfiltration or\r\nconnections to suspicious networks.\r\nConclusion\r\nUnit 42 expects callback phishing attacks to increase in popularity due to the low per-target cost, low risk of\r\ndetection and fast monetization. While groups that can establish infrastructure to handle inbound calls and identify\r\nsensitive data for exfiltration are likely to dominate the threat landscape initially, a low barrier to entry makes it\r\nprobable that more threat actors will enter the fray.\r\nCommon observables suggest a pervasive multi-month campaign that is actively evolving. Therefore,\r\norganizations in currently targeted industries, such as legal and retail, should be particularly vigilant to avoid\r\nbecoming victims.\r\nAll organizations should consider strengthening cybersecurity awareness training programs with a particular focus\r\non unexpected invoices, as well as requests to establish a phone call or to install software. Additionally, expand\r\ninvestments in cybersecurity tools designed to detect and prevent anomalous activity, such as installing\r\nunrecognized software or exfiltrating sensitive data.\r\nIf you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nhttps://unit42.paloaltonetworks.com/luna-moth-callback-phishing/\r\nPage 7 of 8\n\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nAdditional Resources\r\nBazarCall Method: Call Centers Help Spread BazarLoader Malware\r\nLuna Moth: The Threat Actors Behind Recent False Subscription Scams\r\n“BazarCall” Advisory: Essential Guide to Attack Vector that Revolutionized Data Breaches\r\nSource: https://unit42.paloaltonetworks.com/luna-moth-callback-phishing/\r\nhttps://unit42.paloaltonetworks.com/luna-moth-callback-phishing/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE",
		"MISPGALAXY"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/luna-moth-callback-phishing/"
	],
	"report_names": [
		"luna-moth-callback-phishing"
	],
	"threat_actors": [
		{
			"id": "d87fb380-03db-447c-a560-33e1b6e70e87",
			"created_at": "2025-05-29T02:00:03.231385Z",
			"updated_at": "2026-04-10T02:00:03.881295Z",
			"deleted_at": null,
			"main_name": "Luna Moth",
			"aliases": [
				"Silent Ransom",
				"TG2729"
			],
			"source_name": "MISPGALAXY:Luna Moth",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d1f8bd4e-bcd4-4101-9158-6158f1806b38",
			"created_at": "2023-01-06T13:46:39.487358Z",
			"updated_at": "2026-04-10T02:00:03.344509Z",
			"deleted_at": null,
			"main_name": "BazarCall",
			"aliases": [
				"BazzarCall",
				"BazaCall"
			],
			"source_name": "MISPGALAXY:BazarCall",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434489,
	"ts_updated_at": 1775826737,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3d8ed2f90490413e87299ae2c598e99582599047.pdf",
		"text": "https://archive.orkl.eu/3d8ed2f90490413e87299ae2c598e99582599047.txt",
		"img": "https://archive.orkl.eu/3d8ed2f90490413e87299ae2c598e99582599047.jpg"
	}
}