article featured image


Luna Moth is a new data extortion gang that has been penetrating corporations to steal personal information. They tell victims that they would make the files publicly accessible unless the victims pay a ransom to keep the contents from being released.

Luna Moth has been engaged in phishing attempts that have provided remote access tools (RAT) that allow the theft of business data.

What Happened?

The Incident Response team at Sygnia has been monitoring the behavior of the Luna Moth ransom gang. They have seen that the actor behind the organization is attempting to establish a reputation under the moniker Silent Ransom Group (SRG).

Sygnia claims in a study that it published earlier this month that the method of operation of Luna Moth (also tracked as TG2729) is similar to that of a con artist, however, the primary goal is to get access to confidential information.

Over the past three months, the ‘Luna Moth’ group operated a large-scale phishing campaign under the theme of MasterClass and Duolingo subscriptions, by impersonating Zoho MasterClass Inc and Duolingo. Although claiming to be related to the Zoho Corporation or Duolingo, the phishing emails are sent from Gmail addresses that are altered to resemble the legitimate company email addresses:

  • {FIRST-NAME}.{LAST-NAME}.zohomasterclass@gmail.com
  • {FIRST-NAME}.{LAST-NAME}.duolingo@gmail.com

This is a classic phishing scam: the email claims that the recipient of the email purchased a subscription to a legitimate service, and that payment is due. To complete the scam, an invoice PDF file is attached to the email, and the victim is recommended to call a phone number, which the email states can be found within the attached file, if there are any issues with the subscription.


As BleepingComputer explains, phishing is one of the methods that Luna Moth uses to accomplish this goal. During the course of the last three months, the attackers were successful in carrying out a large-scale operation that lured victims with bogus membership emails for utilizing the services of Zoho, MasterClass, or Duolingo.

Fake invoices used by Luna Moth


The victims would ostensibly get a message from one of the aforementioned services informing them that their membership was about to expire and that it would be automatically renewed if they did not pay the renewal fee within the allotted time period of 24 hours.

The phishing effort carried out by Luna Moth makes use of email accounts with names that are an imitation of the companies being targeted. When one investigates further, the fraud becomes immediately apparent due to the fact that the messages originate from Gmail accounts.

The email contains a bogus invoice as an attachment, which includes a contact for recipients who want to cancel their membership or get further information on it.

When the victim dials the phone number that is shown on the invoice, they are put in touch with the con artist, who then gives them instructions on how to set up a remote access tool on their computer.

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Author Profile

Dora Tudor

Cyber Security Enthusiast

linkedin icon

Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.

Leave a Reply

Your email address will not be published. Required fields are marked *

Protect your business by doing more with less

Book a Demo