CONTACT US

Luna Moth Ransomware: The Threat Actors Behind Recent False Subscription Scams

Sygnia’s team identified ‘Luna Moth’ ransom group. The threat actors resemble false subscription scammers, focusing on corporate data theft.

Over the last few months, Sygnia’s Incident Response team has been methodically tracking the ‘Luna Moth’ ransom group. Their modus-operandi resembles scammers, with the twist of corporate data theft, leveraging the threat of publication to demand millions of dollars in ransom.

key points

  • The Sygnia Incident Response team identified a relatively new threat group, which has been operating since the end of March 2022. Sygnia refers to this threat actor as ‘Luna Moth’ or TG2729.
  • ‘Luna Moth’ focuses on Data Breach extortion attacks, threatening to leak stolen information if the demanded ransom is not paid.
  • The initial compromise is achieved by deceiving victims in a phishing campaign under the theme of Zoho MasterClass and Duolingo subscriptions, leading to the installation of an initial tool on the compromised host.
  • The group uses commercial remote administration tools (RATs) and publicly available tools to operate on compromised devices and maintain persistency, demonstrating once more the simplicity and effectiveness of ransom attacks.
  • The group acts and operates in an opportunistic way: even if there are no assets or devices to compromise in the network, they exfiltrate any data that is accessible; this emphasizes the importance of managing sensitive corporate information.

the ‘Luna Moth’ group 

With the rise in ransomware activity over the past years, the security industry has become used to hearing about double extortion, and even triple extortion attacks, and new crime groups of all kinds. In this blog post, we shed light on a relatively new threat actor which goes by the name of the ‘Silent Ransom Group’ (or ‘SRG’) and was dubbed ‘Luna Moth’ by Sygnia. By launching a phishing campaign with a wide coverage area, ‘Luna Moth’ infiltrates and compromises victim devices. These attacks can be categorized as data breach ransom attacks, in which the main focus of the group is to gain access to sensitive documents and information, and demand payment to withhold publication of the stolen data. Simple as they may be, these attacks can create serious issues for victims if sensitive data and information is stolen in this way.

Although the group is not widely known, they have been active in the past months, attempting to build their reputation as a ransom gang. Their modus-operandi resembles scammers, with the twist of corporate data theft, leveraging the threat of publication to demand millions of dollars in ransom.

Gaining initial access

Over the past three months, the ‘Luna Moth’ group operated a large-scale phishing campaign under the theme of MasterClass and Duolingo subscriptions, by impersonating Zoho MasterClass Inc and Duolingo. Although claiming to be related to the Zoho Corporation or Duolingo, the phishing emails are sent from Gmail addresses that are altered to resemble the legitimate company email addresses:

  • {FIRST-NAME}.{LAST-NAME}.zohomasterclass@gmail.com
  • {FIRST-NAME}.{LAST-NAME}.duolingo@gmail.com

This is a classic phishing scam: the email claims that the recipient of the email purchased a subscription to a legitimate service, and that payment is due. To complete the scam, an invoice PDF file is attached to the email, and the victim is recommended to call a phone number, which the email states can be found within the attached file, if there are any issues with the subscription.

An example of a Zoho Masterclass themed phishing email
Image 1: An example of a Zoho Masterclass themed phishing email
Image 2-5: Examples of invoices attached as PDF files to the phishing emails

If the victim wishes to refute the purchase, they are required to join a Zoho remote support session. At this point, the threat actor uses the native Zoho Assist functionality to send another email, entitled “Zoho Assist – Remote Support session”, which guides the user to download and install the Zoho Assist application. The group then invites the victim to the support session using Zoho Assist accounts that are tied to protonmail emails.

During this short yet effective Zoho Assist session, the threat actor is able to trick the user into downloading and installing Atera on their device; this is a remote administration tool commonly used by threat actors. Once Atera is installed on the device, the threat actor can access the device and operate freely.

Tools in the arsenal

The examples shown above demonstrate that both the activities and the toolset of ‘Luna Moth’ are fairly unsophisticated. The main tools used by the threat actor consist of remote administration tools (RATs) that allow them to control compromised devices; these include Atera, Splashtop, Syncro, and AnyDesk. These tools also provide the threat actors with some redundancy and persistence: if one of the RATs is removed from the system, it can be reinstalled by the others.

Additional tools used by the group include off-the-shelf tools such as SoftPerfect Network Scanner, SharpShares, and
Rclone. The tools are stored on compromised machines under false names masquerading as legitimate binaries. These tools, in addition to the RATs, provide the threat actors with the means to conduct basic reconnaissance activities, access additional available assets, and exfiltrate data from compromised networks.

Campaign infrastructure

The infrastructure used by ‘Luna Moth’ as part of the subscription scams can be mapped to two main clusters of domains and IPs: 

  • Exfiltration domains: Domains under the XYZ TLD, such as maaays[.]xyz. These domains are used by the group as part of the Rclone exfiltration process; the domains are the target to which the exfiltrated data is sent.
  • Phishing domains that appear to be related to Zoho or Duolingo – for example, masterzohoclass[.]com. Most of these domains have a very short lifespan of about four hours.

The first identified domain related to the campaign was registered during April 2022. Both the exfiltration and phishing domains are hosted by the provider Hostwinds, and registered under Namecheap.

DomainIP AddressRegistration DateType
dictumst[.]xyz23[.]254[.]229[.]9018/04/2022 08:46Exfiltration Server
tincidunt[.]xyz192[.]119[.]110[.]4718/04/2022 08:53Exfiltration Server
deserunt[.]xyz192[.]119[.]110[.]2218/04/2022 08:54Exfiltration Server
mczoho[.]com192[.]119[.]111[.]2518/04/2022 14:27Infrastructure
masterzohoclass[.]com192[.]236[.]178[.]319/04/2022 13:54Infrastructure
zohocook[.]com192[.]236[.]177[.]25120/04/2022 10:42Infrastructure
molestie[.]xyz192[.]236[.]193[.]15221/04/2022 07:21Exfiltration Server
adipiscing[.]xyz192[.]236[.]193[.]15021/04/2022 07:21Exfiltration Server
fringilla[.]xyz192[.]236[.]193[.]14821/04/2022 13:18Exfiltration Server
volutpat[.]xyz192[.]236[.]193[.]15121/04/2022 13:19Exfiltration Server
ultrices[.]xyz192[.]236[.]193[.]14921/04/2022 13:19Exfiltration Server
cookwithzoho[.]com192[.]236[.]193[.]14121/04/2022 13:34Infrastructure
cookingbyzoho[.]com192[.]236[.]193[.]14022/04/2022 12:15Infrastructure
massay[.]xyz192[.]236[.]177[.]2025/04/2022 11:28Exfiltration Server
masaay[.]xyz192[.]236[.]176[.]7925/04/2022 11:28Exfiltration Server
myaaas[.]xyz192[.]236[.]192[.]8425/04/2022 11:29Exfiltration Server
myaasa[.]xyz192[.]236[.]179[.]7625/04/2022 11:29Exfiltration Server
myasaa[.]xyz192[.]236[.]178[.]13525/04/2022 11:29Exfiltration Server
masyaa[.]xyz192[.]236[.]193[.]8625/04/2022 11:30Exfiltration Server
maysaa[.]xyz192[.]236[.]193[.]8125/04/2022 11:30Exfiltration Server
msaaay[.]xyz192[.]236[.]192[.]21525/04/2022 11:30Exfiltration Server
maaays[.]xyz192[.]236[.]194[.]225/04/2022 11:35Exfiltration Server
maaasy[.]xyz192[.]236[.]194[.]3125/04/2022 11:36Exfiltration Server
cookingzoho[.]com192[.]236[.]195[.]4225/04/2022 12:50Infrastructure
zohomclass[.]com192[.]236[.]195[.]8326/04/2022 13:02Infrastructure
zohocooking[.]com192[.]236[.]198[.]2227/04/2022 12:12Infrastructure
studyzoho[.]com192[.]236[.]198[.]2328/04/2022 11:02Infrastructure
molesste[.]xyz192[.]236[.]208[.]5628/04/2022 20:53Exfiltration Server
zohocookingmeals[.]com192[.]236[.]199[.]229/04/2022 10:49Infrastructure
zohokitchen[.]com192[.]236[.]192[.]202/05/2022 13:12Infrastructure
ullamm[.]xyz23[.]254[.]227[.]7902/05/2022 16:36Exfiltration Server
zohokitchenmaster[.]com192[.]236[.]192[.]903/05/2022 10:54Infrastructure
zohoteachingmaster[.]com192[.]236[.]192[.]6904/05/2022 12:42Infrastructure
zohoteaching[.]com192[.]236[.]192[.]7305/05/2022 14:02Infrastructure
tincidut[.]xyz142[.]11[.]215[.]10406/05/2022 13:48Exfiltration Server
masterclassgold[.]com142[.]11[.]215[.]2509/05/2022 14:42Infrastructure
proodee[.]xyz192[.]236[.]179[.]21709/05/2022 16:07Exfiltration Server
zohocookingclass[.]com198[.]54[.]117[.]24410/05/2022 07:53Infrastructure
zohoclasspro[.]com142[.]11[.]215[.]21210/05/2022 11:42Infrastructure
deerunt[.]xyz142[.]11[.]206[.]15314/05/2022 08:40Exfiltration Server
nostuud[.]xyz192[.]236[.]147[.]23414/05/2022 14:27Exfiltration Server
aliuuip[.]xyz23[.]254[.]228[.]21114/05/2022 14:28Exfiltration Server
zohoduolingo[.]com192[.]236[.]209[.]3616/05/2022 13:11Infrastructure
duolingoclass[.]com192[.]236[.]209[.]3417/05/2022 13:24Infrastructure
acsyruse[.]xyz192[.]236[.]155[.]8117/05/2022 20:56Exfiltration Server
zoholanguageclass[.]com142[.]11[.]209[.]19818/05/2022 12:40Infrastructure
zoholanguage[.]com104[.]168[.]164[.]24419/05/2022 13:40Infrastructure
duo-lingo-class[.]com104[.]168[.]204[.]23123/05/2022 12:27Infrastructure
caaom[.]xyz192[.]236[.]155[.]15123/05/2022 14:04Exfiltration Server
caaof[.]xyz192[.]236[.]155[.]10623/05/2022 14:05Exfiltration Server
caaog[.]xyz192[.]236[.]155[.]13823/05/2022 14:05Exfiltration Server
caaor[.]xyz192[.]236[.]155[.]10323/05/2022 14:06Exfiltration Server
caaon[.]xyz192[.]236[.]155[.]10223/05/2022 14:28Exfiltration Server
duolingo-class[.]com192[.]236[.]192[.]3324/05/2022 12:29Infrastructure
studyduolingo[.]com192[.]236[.]177[.]1825/05/2022 12:32Infrastructure
masterclass-cook[.]com192[.]236[.]193[.]17131/05/2022 13:43Infrastructure
duuis[.]xyz192[.]236[.]249[.]7801/06/2022 09:43Exfiltration Server
eeeaa[.]xyz192[.]236[.]249[.]8001/06/2022 09:43Exfiltration Server
veelit[.]xyz192[.]236[.]249[.]7901/06/2022 09:44Exfiltration Server
eesse[.]xyz192[.]236[.]249[.]7601/06/2022 09:44Exfiltration Server
moolit[.]xyz192[.]236[.]249[.]7501/06/2022 09:45Exfiltration Server
premiumduolingo[.]com104[.]168[.]201[.]12901/06/2022 12:49Infrastructure
cook-masterclass[.]com104[.]168[.]201[.]12101/06/2022 12:50Infrastructure
yourduolingo[.]com104[.]168[.]201[.]8702/06/2022 11:55Infrastructure
masterclasscooking[.]com192[.]119[.]111[.]5103/06/2022 12:20Infrastructure
duolingoeducation[.]com192[.]119[.]111[.]2103/06/2022 12:20Infrastructure
educationduolingo[.]com192[.]119[.]111[.]19706/06/2022 11:32Infrastructure
masterclass-chef[.]com104[.]168[.]201[.]10006/06/2022 11:33Infrastructure
allduolingo[.]com192[.]236[.]194[.]11307/06/2022 13:02Infrastructure
allredoo[.]xyz192[.]236[.]194[.]4207/06/2022 16:02Exfiltration Server
aredo[.]xyz192[.]236[.]160[.]13207/06/2022 16:03Exfiltration Server
aeedo[.]xyz192[.]236[.]193[.]18207/06/2022 16:03Exfiltration Server
allreedo[.]xyz104[.]168[.]218[.]24207/06/2022 16:04Exfiltration Server
alloout[.]xyz104[.]168[.]135[.]7107/06/2022 17:16Exfiltration Server
subscriptionduolingo[.]com192[.]236[.]195[.]7408/06/2022 12:33Infrastructure
germanbyduolingo[.]com192[.]236[.]208[.]4410/06/2022 11:59Infrastructure
duolingo-italianclass[.]com104[.]168[.]171[.]23121/06/2022 12:43Infrastructure
aeecc[.]xyz23[.]238[.]40[.]2922/06/2022 19:25Exfiltration Server
eceee[.]xyz23[.]238[.]40[.]2822/06/2022 19:25Exfiltration Server
aeocc[.]xyz23[.]238[.]40[.]3122/06/2022 19:26Exfiltration Server
aedcc[.]xyz23[.]238[.]40[.]3022/06/2022 19:26Exfiltration Server
aeucc[.]xyz23[.]238[.]40[.]3222/06/2022 19:27Exfiltration Server
duolingoitalian[.]com192[.]236[.]155[.]24323/06/2022 13:05Infrastructure
duolingoit[.]com192[.]236[.]176[.]19724/06/2022 12:48Infrastructure
duolingoitclass[.]com104[.]168[.]171[.]10427/06/2022 13:09Infrastructure
 duolingo-it[.]com 192[.]236[.]176[.]199 28/06/2022  13:07 Infrastructure
 italian-duolingo[.]com 192[.]119[.]110[.]112 29/06/2022 13:27 Infrastructure
 masterclass-design[.]com 192[.]119[.]110[.]166 29/06/2022 15:26 Infrastructure
 masterclass-design[.]com 192[.]119[.]110[.]166 29/06/2022 15:26 Infrastructure
 masterclass-design[.]com 192[.]119[.]110[.]166 29/06/2022 15:26 Infrastructure
 masterclass-design[.]com 192[.]119[.]110[.]166 29/06/2022 15:26 Infrastructure
 masterclass-design[.]com 192[.]119[.]110[.]166 29/06/2022 15:26 Infrastructure
 masterclass-design[.]com 192[.]119[.]110[.]166 29/06/2022 15:26 Infrastructure
aaeece[.]xyz142[.]11[.]210[.]1415/08/2022 10:27Exfiltration Server
aaeeci[.]xyz108[.]174[.]195[.]19915/08/2022 10:27Exfiltration Server
aaeeco[.]xyz108[.]174[.]197[.]19615/08/2022 10:29Exfiltration Server
aaeecu[.]xyz104[.]168[.]145[.]4515/08/2022 10:27Exfiltration Server
aaeecy[.]xyz142[.]11[.]194[.]20115/08/2022 10:27Exfiltration Server
eebna[.]xyz192[.]236[.]194[.]7608/09/2022 9:52Exfiltration Server
eecna[.]xyz192[.]236[.]194[.]7708/09/2022 9:52Exfiltration Server
eedna[.]xyz192[.]236[.]194[.]7808/09/2022 9:52Exfiltration Server
eegna[.]xyz192[.]236[.]194[.]8008/09/2022 9:53Exfiltration Server
eetna[.]xyz192[.]236[.]194[.]8108/09/2022 9:53Exfiltration Server
brightmasterclass[.]com192[.]236[.]192[.]19306/09/2022 12:29Infrastructure
effectivemasterclass[.]com192[.]236[.]176[.]14324/08/2022 06:32Infrastructure
happymasterclass[.]com192[.]119[.]110[.]13107/09/2022 13:25Infrastructure
masterclass-business[.]com192[.]119[.]110[.]16616/08/2022 09:13Infrastructure
masterclasscources[.]com23[.]254[.]225[.]14501/09/2022 13:22Infrastructure
masterclassworld[.]com192[.]236[.]198[.]16409/09/2022 13:51Infrastructure
rainbowmasterclass[.]com192[.]236[.]192[.]19202/09/2022 13:47Infrastructure
strongmasterclass[.]com23[.]254[.]227[.]925/08/2022 12:52Infrastructure
unitedmasterclass[.]com192[.]236[.]179[.]231/08/2022 14:02Infrastructure
westsidemasterclass[.]com23[.]254[.]228[.]8508/09/2022 13:18Infrastructure
westernmasterclass[.]com23[.]254[.]225[.]14501/09/2022 16:52Infrastructure


If you were impacted by this attack or are seeking guidance on how to prevent similar attacks, please contact us at contact@sygnia.co or our 24-hour hotline +1-877-686-8680.

subsctibe decor
Want to get in touch?