CTI Roundup: Luna Moth, Venom Spider, StealC V2

In this week’s roundup, Tanium’s Cyber Threat Intelligence (CTI) team provides the latest insights around Luna Moth, a data-theft extortion group that’s actively targeting U.S.-based legal and financial institutions. Next, our CTI team examines a campaign conducted by the Venom Spider threat group, which targets hiring managers and recruiters with spear-phishing emails. Finally, the team investigates the latest version of a well-known infostealer malware called StealC.

Luna Moth threatens U.S. organizations

According to new research from EclecticIQ, Luna Moth is ramping up its callback phishing campaigns and actively targeting organizations in the U.S.

The group is now luring victims by calling fake helpdesk phone numbers and tricking them into installing remote monitoring and management (RMM) tools.

Who is Luna Moth?

Luna Moth (also known as Silent Ransom Group, UNC3753, and Storm-0252) is a sophisticated cybercrime operation that specializes in data theft and extortion.

EclecticIQ believes that Luna Moth has been carrying out high-tempo callback phishing since March 2025. The group is specifically targeting legal and financial organizations across the U.S.

Luna Moth campaigns typically begin with a phishing email that aims to trick the recipient into calling a fake helpdesk number. Once on the line with the victim, the operator poses as IT staff and asks them to install legitimate RMM tools.

EclecticIQ notes that the attackers have registered domains via GoDaddy that impersonate U.S. firms, a tactic that enhances the social engineering aspect using a strategy known as typosquatting.

Abusing GoDaddy services

EclecticIQ believes that Luna Month has registered at least 37 domains with GoDaddy in support of this latest round of callback phishing. The domains pretend to be IT helpdesks or support portals for various U.S. law firms and financial organizations. The “contact us” form on these sites will ask the visitor for their name, email, and a brief message, allowing the attacker to obtain basic reconnaissance information.

Luna Moth is abusing GoDaddy infrastructure and using it to send automated confirmation emails from “confirmations@godaddy[.]com” to those who enter details in the contact form. When the victim clicks the link in this confirmation email, the attacker knows to make their follow-up call to the victim.

EclecticIQ also observed Luna Moth using Reamaze, which is a live chat platform used by GoDaddy. The group is using it to embed AI chatbots into some of their phishing pages that mimic IT helpdesk interactions.

[Read also: 12 AI terms you (and your flirty chatbot) should know by now]

Luna Moth will often attempt to create a sense of urgency by stating that an issue requires immediate attention and tries to trick victims into installing RMM tools. Luna Moth also uses RMM tools, including Syncro, SuperOps, Zoho Assist, Atera, AnyDesk, and Splashtop. After installing one of these tools, the attacker can begin exfiltrating data. To exfiltrate, they use tools like WinSCP and Rclone.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Based on EclecticIQ’s insights, it’s clear that Luna Moth is jumping on the fake IT helpdesk bandwagon to advance their data exfiltration attacks.

This group is employing the right combination of social engineering and legitimate tools to remain undetected. Organizations are encouraged to increase their employee education and awareness about Luna Moth to prevent attacks.

Venom Spider targets hiring managers and recruiters

Arctic Wolf recently observed a campaign conducted by the Venom Spider threat group targeting hiring managers and recruiters via spear-phishing emails.

The group is using legitimate messaging services and job platforms to apply for jobs, submitting resumes that are designed to drop malware. They are also using a strategy known as server polymorphism to deliver the payloads.

Venom Spider: A brief overview

Venom Spider is a financially motivated threat group that targets organizations through job roles posted on third-party sites, such as LinkedIn.

The group has been active over the past few years. However, they have recently accelerated their efforts, targeting recruiters and HR managers directly with weaponized phishing links that pretend to come from job seekers.

[Read also: Hiring remote IT workers? Beware the deepfake frauds]

According to Arctic Wolf, the phishing links typically lead to malicious sites that host the harmful resumes. Venom Spider will attempt to deliver the “More_eggs” malware in this infection chain.

Understanding Venom Spider’s attack vector

The attack begins with a spear-phishing email sent to the recruiter or hiring manager. This email contains a link to download the candidate’s resume. On the site, the visitor is required to check a CAPTCHA box before downloading the resume. The resume is downloaded as a ZIP file containing a malicious LNK and image file. The LNK file is the payload for the first stage.

[Read also: What is Business Email Compromise (BEC)? The rising costs of BEC attacks]

Arctic Wolf reports that the actor’s infrastructure supports server polymorphism, meaning a new LNK file is generated for each download to alter the code obfuscation and file size.

The LNK file ultimately executes code to launch WordPad as a distraction for the victim, making them think the promised resume is being opened while secretly launching the Windows utility %windir%\system32\ie4uinit.exe to execute commands from the ieuinit.inf file that contains a URL leading to an HTML page with a heavily obfuscated JavaScript payload.

How does the More_eggs_Dropper library work?

After the prior phase, JavaScript code creates an executable library that Arctic Wolf refers to as the “More_eggs_Dropper” library. The library uses code that creates JavaScript code polymorphically. Its execution is time-delayed, which makes it harder for sandboxes to analyze. It also creates multiple files when executed, including:

• One file is a legitimate Windows “msxsl.exe” executable that runs XML files containing JavaScript—a technique that Arctic Wolf notes has been used by Venom Spider in the past.
• Another file creates the “More_eggs_dropper” and will execute the main payload.

After these scripts run, the dropper gets removed. The dropper will create a new JavaScript payload each time it runs and is heavily obfuscated.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Venom Spider is one of several actors targeting recruiters and HR departments. Many of these groups employ similar delivery methods, either via spear phishing or outreach on platforms like LinkedIn, making it easier to educate these individuals on what to look out for.

Arctic Wolf’s research also revealed a “continued investment in the development and maintenance” of the group’s signature backdoor, indicating that this group places an emphasis on both social engineering and malware.

New StealC V2 contains stealth upgrades, data theft tools

A new version of the popular StealC infostealer was recently released. Zscaler analyzed the latest version and highlighted several key updates, including a streamlined C2 communication protocol, the use of RC4 encryption, enhanced payload delivery options, an integrated builder, and improved data theft capabilities.

About StealC V2

StealC V2 was first released in March 2025. It utilizes a JSON-based network protocol with RC4 encryption in its latest variants and now supports additional malware loader options to deliver MSI packages and PowerShell scripts.

The new version also comes with a redesigned control panel, multi-monitor screenshot capability, a unified file grabber, and server-side brute force capabilities.

During initial execution, this version will decrypt the important strings using a hardcoded RC4 key.

It will also check the expiration date and terminate itself if necessary. It will also verify that no duplicate instances of itself are running.

Key differences between StealC versions

While StealC V2 was released in March 2025, several new iterations have since been launched. At the time of publication, the latest version is 2.2.4.

StealC V2 can now download and execute three types of payloads, including .exe files, MSI packages, and PowerShell scripts.

Looking at its network communication protocol, StealC V2 uses JSON-based requests and responses for C2 communication. The C2 server can also accept four operation types, including create, upload, done, and loader, with create always being the first request to register the infection. The response back from the C2 server will define the behavior and tasks for the malware. The redesigned control panel now also comes with an embedded builder.

Zscaler’s analysis also identified a few important insights from StealC V2’s infrastructure compared to earlier StealC versions:

• First, the builder piece requires a version update that is contained in a ZIP archive and needs to be uploaded, so that no old versions can be used.
• The control panel was also found to support Telegram bot integration, rule-based payload delivery, file-based uploads, IP-based blocking, and more.
• Additionally, the builder is embedded into the panel. This enables the operator to create loader and grabber rules easily.
• These new versions include better obfuscation, RC4 encryption, the resolving of all API functions at runtime, improved download of payloads, and more.
• The latest version also features a self-delete routine.

It’s still undergoing development and regularly releases new updates.

Analyst comments from Tanium’s Cyber Threat Intelligence team

The latest StealC version features several improvements. Not only does this latest version introduce additional stealth capabilities, but it’s quickly evolving with new iterations being released since March.

Zscaler notes that StealC is often used in conjunction with other malware families, making it even more dangerous.

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.