A recently developed domain-hunting methodology enables organizations to proactively identify infrastructure tied to the Luna Moth cybercrime group, building on EclecticIQ’s March 2025 findings about their U.S.-focused phishing campaigns.
This approach combines pattern analysis of domain registration characteristics with tactical threat intelligence to uncover malicious infrastructure.
Technical Methodology for Domain Detection
According to the post from Silent Push Security, researchers have reverse-engineered Luna Moth’s operational patterns through analysis of 157 confirmed malicious domains from recent campaigns.
The group consistently uses three identifiable registration fingerprints:
- Helpdesk-Themed Domain Patterns
Luna Moth domains follow the regex schema: text^[a-z]{1,}-help(desk){0,1}\.com$This matches observed patterns likevorys-helpdesk[.]comandsmithhelp[.]com, where the prefix typically spoofs legitimate law firms or financial institutions. - Registrar Preferences
83% of confirmed domains were registered through GoDaddy using stolen payment credentials, with Namecheap accounting for the remaining 17%. The search filter: sqlregistrar IN ("GoDaddy", "Namecheap")significantly reduces false positives from unrelated domains. - Nameserver Consistency
Luna Moth domains overwhelmingly resolve throughns[51-52].domaincontrol.com, GoDaddy’s default nameservers. The filter: sqlnameserver LIKE "%.domaincontrol.com"provides additional validation against spoofed registration data.
Operational Query Implementation
Combining these parameters with creation date filtering yields a high-fidelity detection query:
sqlSELECT * FROM domain_registry
WHERE
domain ~ '^[a-z]{1,}-help(desk){0,1}\.com$'
AND registrar IN ('GoDaddy', 'Namecheap')
AND nameserver LIKE '%.domaincontrol.com'
AND creation_date >= '2025-03-01'
Query Results (as of May 2025):
- 48 confirmed malicious domains identified
- 93% matched known victim organizations
- Average domain lifespan: 6.2 days before takedown
Campaign Infrastructure Analysis
Recent domains show Luna Moth evolving their tactics:
| Domain Pattern | Target Sector | Mimicked Organization |
|---|---|---|
*-legalhelp.com | Law Firms | Vorys, BakerHostetler |
*-financesupport.com | Banking | Chase, Bank of America |
*-hrportal.com | Insurance Providers | Aetna, UnitedHealth |
The group maintains operational redundancy through:
- DNS Load Balancing: 72% of domains point to 192.236.. IP ranges
- Cloud Exfiltration: 61% link to S3 buckets named
clientdata-<victim>-backup - Decoy Content: 89% host valid TLS certificates from Let’s Encrypt
Defense Recommendations
Organizations can implement these detection strategies using:
- SIEM Correlation Rules text
index=domain_registry "domaincontrol.com" | regex domain="^[a-z]{1,}-help(desk){0,1}\.com$" | stats count by registrar, creation_date - Network IDS Signatures text
alert dns any any -> any any ( dns.query; content:".-helpdesk.com"; nocase; pcre:"/^[a-z]{1,}-help(desk){0,1}\.com$/i"; ) - Threat Intelligence Feeds
Monitor for IoCs containingns[51-52].domaincontrol.compaired with recent creation dates.
This methodology has already enabled preemptive blocking of 12 planned attacks against Fortune 500 companies.
Security teams should prioritize integrating these patterns into their defensive frameworks, particularly given Luna Moth’s shift from ransomware to pure data extortion tactics.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=This approach combines pattern analysis of domain registration characteristics with tactical threat intelligence to uncover malicious infrastructure.){kind=link}