Key Takeaways:
- Hackers are using callback phishing campaigns to trick victims into installing legitimate remote monitoring tools to gain system access.
- These attacks are hard to detect because they involve legitimate, digitally signed software.
- The attackers threaten to leak stolen data unless victims pay ransoms ranging from $1 million to $8 million.
Cybersecurity researchers have discovered a surge in callback phishing attacks, where hackers are targeting legal, financial, and accounting firms across the U.S. The ultimate goal of these attacks is to steal sensitive data and extort millions in ransom from the victims.
How does the callback phishing scam work?
According to a new report by EclecticIQ researchers, the hacking group Luna Moth (also known as Silent Ransom Group, UNC3753, and Storm-0252) has significantly increased its callback phishing attacks since March 2025. The group sends phishing emails that prompt victims to call fake IT helpdesk numbers, where live scammers convince them to install remote monitoring and management (RMM) tools.
These tools (like Syncro, SuperOps, Zoho Assist, Atera, AnyDesk, and Splashtop) are legitimate and digitally signed, which makes them difficult for security software to flag as malicious. Once installed, they give attackers access to sensitive data, allowing them to demand ransomware of $1 million to $8 million by threatening to leak the stolen information.
Luna Moth registers typosquatted domains through GoDaddy to support its social engineering campaigns. These are web addresses that closely mimic legitimate ones, often with slight misspellings or alterations. The goal is to trick users into visiting fake websites that closely resemble real IT helpdesk pages.
“By impersonating a helpdesk for Chief Information Security Officers (CISOs), the phishing page leverages the authority and urgency typically associated with executive security communications,” the researchers explained. “This approach is designed to increase victim compliance and maximize the chances of compromising privileged accounts within the target organization.”
Recommendations for organizations to stay protected
EclecticIQ reports that Luna Moth’s phishing emails are hard to detect because they don’t include obvious malicious links or attachments. Instead, victims are deceived into installing legitimate, digitally signed remote monitoring software themselves. Since some security tools focus on voice interactions and the malicious activity stays limited to the infected device and its local network, these attacks are even more difficult to identify and respond to in enterprise environments.
Administrators are strongly advised to restrict the installation of RMM tools within their organizations. They should also monitor for suspicious activity, flag emails from fake helpdesk domains, and train staff to spot social engineering attempts.