When Luna Moth Targets Attorneys, CYPFER Delivers Cyber Certainty™ 

The Luna Moth cyber-extortion group, also known as the Silent Ransom Group (SRG), Chatty Spider, or UNC3753, has quietly shifted its focus to U.S. law firms. These attacks are squarely focused on stealing law firms’ most sensitive data and using it as leverage. 

For attorneys, that means the stakes couldn’t be higher: client confidentiality, ongoing litigation strategies, and the firm’s reputation are all on the line. CYPFER helps ensure those stakes don’t turn into losses. 

The Luna Moth Playbook

Luna Moth’s method is built on social engineering and not sophisticated malware: 

1. Phishing Emails with a “Callback” Twist – Fake subscription invoices prompt recipients to call a number, where threat actors posing as support agents trick staff into installing remote-access tools like AnyDesk, Zoho Assist, or Splashtop. 
2. Direct Calls to Attorneys or Staff – Impersonating internal IT, they convince employees to grant access under the guise of “maintenance” or “security updates.” 
3. Silent Data Theft – Using legitimate tools like Rclone or WinSCP, they exfiltrate sensitive case files, contracts, and client data without triggering traditional ransomware alerts. 
4. Extortion Without Encryption – Instead of locking files, they threaten to leak or sell stolen data, often calling staff to escalate pressure during ransom negotiations. 

Why Law Firms Are in the Crosshairs

Law firms are a goldmine for attackers: 

• High-value information that can sway litigation or influence corporate negotiations. 
• Reputational risk that makes victims more likely to pay. 
• Smaller security teams compared to the value of data at risk. 

How CYPFER Protects Attorneys from Luna Moth

1. Immediate Incident Response

When the call or email comes in, time is everything. CYPFER’s 24/7 Cyber Certainty™Response Team can: 

• Contain the threat within minutes. 
• Identify and remove malicious remote-access tools. 
• Preserve forensic evidence for legal and insurance requirements. 

2. Threat Actor Intelligence

Our intelligence team tracks Luna Moth’s evolving tactics in real time: 

• Caller ID and email spoofing patterns used in callback phishing. 
• Infrastructure mapping to identify and block attacker-controlled domains. 
• Tool signatures for rapid detection of unauthorized data transfers. 

3. Executive and Staff Awareness Training

We simulate the same callback phishing and IT impersonation tactics used by Luna Moth, helping attorneys and staff recognize and shut down the attack before it starts. 

4. Data Protection and Monitoring

CYPFER implements: 

• Endpoint monitoring for unauthorized remote-access tools. 
• Network alerts for abnormal file transfer activity (e.g., Rclone, WinSCP). 
• Proactive dark-web and leak-site monitoring to spot stolen data before it’s weaponized. 

5. Data & Systems Restoration

If data is stolen, deleted, or corrupted in the attack: 

• CYPFER leads secure restoration from clean, verified backups. 
• We validate data integrity to ensure court admissibility and compliance. 
• We coordinate rapid return to full operational capability—minimizing client service disruption. 

Why This Matters Now

Luna Moth’s attacks are escalating in both frequency and boldness. They don’t need to break into your systems if they can call their way in. 

CYPFER’s blend of intelligence-driven response, proactive defense, and executive-level advisory ensures that law firms don’t just survive these attacks but rather emerge stronger, more resilient, and with their reputations intact. 

When client trust is non-negotiable, neither is your cyber defense. 
CYPFER delivers Cyber Certainty™ – before, during, and after an attack.