In a troubling new campaign, the Luna Moth extortion group has adopted a low-tech yet highly effective tactic to breach U.S. companies: impersonating internal IT help desks.
According to BleepingComputer, the attackers are using social engineering and remote access tools to infiltrate corporate networks, steal sensitive data, and extort organizations for ransom.
Unlike many ransomware groups that rely on malware and complex exploits, Luna Moth's approach is both clever and alarming in its simplicity. By calling unsuspecting employees and posing as IT support staff, they convince targets to install remote access tools like Remote Utilities or Syncro, effectively handing over control of their systems.
This method doesn’t require exploiting technical vulnerabilities—it relies on exploiting human trust. Once inside, the attackers quickly exfiltrate sensitive documents and demand ransom payments in the hundreds of thousands of dollars to avoid public disclosure.
Luna Moth’s tactics represent a growing trend: attackers no longer need to drop sophisticated ransomware payloads to cause harm. They bypass traditional cybersecurity defenses by exploiting human behavior, weak endpoint controls, and remote access capabilities.
These attackers aren’t just targeting enterprise giants—they are increasingly going after midsize businesses, nonprofits, law firms, and healthcare providers. If your business has remote employees or uses third-party IT services, you are a potential target.
This should be a wake-up call: it’s time to reevaluate the limitations of “Detect and Respond” cybersecurity strategies.
Most cybersecurity solutions are built on detection—looking for patterns of known threats and responding once malicious behavior is flagged. But what happens when attackers don’t use malware at all?
In this case, Luna Moth uses legitimate remote access tools, which are not flagged as malicious by traditional antivirus or even many endpoint detection and response (EDR) tools. Since the software itself isn’t inherently malicious, detection-based systems are blind to the intrusion until it’s too late.
This is where AppGuard comes in.
AppGuard takes a fundamentally different approach. Instead of waiting to detect an attack, AppGuard prevents it from executing in the first place—even if it’s never been seen before.
By using patented Isolation and Containment technology, AppGuard:
Blocks unauthorized processes from launching—no matter how trusted the application.
Prevents remote access tools from executing malicious activity, even if installed by a legitimate user.
Stops data exfiltration attempts by restricting background execution and scripting.
Operates seamlessly in the background, requiring no updates or user interaction to be effective.
Whether an attacker is using malware, PowerShell, or legitimate software like Syncro, AppGuard prevents the behavior that would allow them to gain a foothold, move laterally, or steal data.
Ask yourself this: How many alerts did your current security stack generate last month? How many were real threats? And how many were stopped before damage was done?
With AppGuard, there are no alert floods—just proactive, quiet prevention. Instead of hunting threats after the fact, you can rest assured they never had a chance to run in the first place.
Luna Moth’s methods show how vulnerable our systems are when relying on human judgment and reactive tools. With AppGuard, you don’t have to count on employees never making a mistake. The software prevents consequences even if they do.
Cyber extortion groups like Luna Moth are evolving, and so should your defense. The “Detect and Respond” model is too slow, too noisy, and too reactive.
It’s time to move to “Isolation and Containment.”
AppGuard has a 10-year track record of success protecting high-value targets, and it's now available for commercial use.
Talk with CHIPS today about how AppGuard can protect your business—before Luna Moth or another threat actor uses deception to walk right through your front door.
Let’s talk about real protection. Let’s talk about AppGuard.
Like this article? Please share it with others!