A recent investigation by cybersecurity firm EclecticIQ, in collaboration with threat hunters, has exposed a surge in malicious activity tied to the Luna Moth hacking group.
The actors are now leveraging fake helpdesk-themed domains to impersonate legitimate businesses and steal sensitive data. This campaign, first detected in March 2025, primarily targets law firms and corporate entities.
How the Attack Works
Luna Moth’s strategy hinges on creating convincing lookalike domains designed to mimic internal IT support portals.
.png
)
For example, a company named “Vorys” might be targeted with a domain like vorys-helpdesk[.]com. The hackers then use phishing emails or compromised accounts to direct victims to these domains, where login credentials or financial data are harvested.
Key characteristics of the fraudulent domains include:
- Naming Conventions: Domains often follow the regex pattern ^[a-z]{1,}-help(desk){0,1}.com$, combining the target’s name with “help” or “helpdesk.”
- Registrar Patterns: GoDaddy is currently the most frequently used registrar, though other providers may also be involved.
- Nameserver Infrastructure: Domains typically route through domaincontrol[.]com, a common nameserver provider.
A Step-by-Step Guide
EclecticIQ’s researchers shared a method to identify suspicious domains linked to the campaign:
1. Domain Pattern: Match regex ^[a-z]{1,}-help(desk){0,1}.com$
2. Registrar Filter: Focus on GoDaddy (expand to others like Namecheap if needed).
3. Nameserver Filter: Include domains using domaincontrol[.]com.
4. Creation Date: Restrict results to domains registered after March 1, 2025.
Applying these filters to DNS databases has already uncovered 50 malicious domains, many impersonating high-profile law firms.
- Targeted Industries: Legal, finance, and healthcare sectors are at heightened risk due to their handling of sensitive data.
- Data Theft: Stolen credentials could lead to ransomware attacks, financial fraud, or corporate espionage.
- Expanding Infrastructure: Luna Moth is rapidly scaling operations, suggesting broader campaigns ahead.
“This group is exploiting trust in internal systems,” said Alex Rivera, EclecticIQ’s lead threat analyst. “Employees must verify URLs before entering credentials, especially for unsolicited helpdesk requests.”
- Domain Monitoring: Use threat intelligence tools to flag domains matching Luna Moth’s patterns.
- Employee Training: Educate staff to recognize phishing attempts and fake helpdesk portals.
- Multi-Factor Authentication (MFA): Enforce MFA for all critical systems to mitigate credential theft.
- Registrar Collaboration: Report suspicious domains to registrars like GoDaddy for faster takedowns.
EclecticIQ encourages cybersecurity professionals to refine their search parameters by:
- Adding registrars beyond GoDaddy (e.g., Namecheap, Google Domains).
- Expanding nameserver filters to include less common providers.
- Adjusting creation date thresholds as the campaign evolves.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
