A phishing campaign has been uncovered that uses fake CAPTCHA images embedded in PDF documents to distribute the Lumma Stealer malware. Cybersecurity researchers at Netskope Threat Labs have identified this large-scale attack, which leverages Webflow’s content delivery network (CDN) to host and distribute malicious PDFs.
How Attackers Use SEO to Lure Victims
The attackers use search engine optimization (SEO) tactics to push their malicious PDFs to the top of search results. According to security researcher Jan Michael Alcantara, this method tricks users into clicking on phishing links embedded in search results, leading them to dangerous websites.
While many phishing campaigns focus on stealing credit card details, this attack uses fake CAPTCHAs to deceive victims into executing malicious PowerShell commands. Once triggered, these commands install Lumma Stealer, a dangerous malware designed to steal sensitive information from infected devices.
Massive Scope of the Attack
Since mid-2024, this phishing operation has affected over 1,150 organizations and more than 7,000 individuals across technology, finance, and manufacturing sectors. The campaign mainly targets users in North America, Asia, and Southern Europe.
Researchers discovered 260 unique domains hosting over 5,000 phishing PDF files. A significant portion of these domains is linked to Webflow, with additional hosting observed on GoDaddy, Strikingly, Wix, and Fastly. Attackers have also uploaded these PDFs to legitimate online libraries and repositories, including PDFCOFFEE, PDF4PRO, PDFBean, and the Internet Archive, making it easier for victims to find them through simple web searches.
How the Attack Works
The phishing PDFs contain fraudulent CAPTCHA images that serve two purposes:
Credit Card Theft: Some PDFs prompt users to enter their payment details.
Malware Delivery: Others use a deceptive CAPTCHA download button that redirects victims to a malicious website.
Once on the site, users encounter a fake CAPTCHA verification page. This page employs the ClickFix technique, tricking them into executing an MSHTA command, which then runs a PowerShell script to install Lumma Stealer.
Lumma Stealer’s Expanding Reach
Recently, Lumma Stealer has been distributed through various channels, including fake Roblox game downloads and cracked versions of software like Total Commander. Threat actors are using compromised YouTube accounts to spread links to these malware-laced files.
Security firm Silent Push warns that malicious links often appear in YouTube videos, comments, or descriptions. They advise users to be cautious when clicking on download links from unverified sources.
Adding to the growing concern, cybersecurity analysts found that logs from Lumma Stealer infections are being shared for free on a new hacking forum called Leaky[.]pro, which emerged in December 2024.
Lumma Stealer: Malware-as-a-Service (MaaS) Tool
Lumma Stealer is a full-featured crimeware service sold under the malware-as-a-service (MaaS) model. It enables cybercriminals to collect a wide range of information from compromised Windows systems. In early 2024, its operators integrated a new feature with GhostSocks, a Golang-based proxy malware.
According to cybersecurity firm Infrawatch, Lumma’s addition of a SOCKS5 backconnect feature makes it even more dangerous. This capability allows attackers to route their traffic through infected devices, bypassing geographic restrictions and IP-based security checks, especially in financial institutions. By using stolen credentials from infostealer logs, attackers can gain unauthorized access to high-value targets, increasing the impact of the malware.
Other Malware Using Similar Tactics
Security researchers warn that other malware strains, such as Vidar and Atomic macOS Stealer (AMOS), are also exploiting the ClickFix technique. Attackers are using AI-related lures, such as fake downloads for the DeepSeek AI chatbot, to spread these threats.
Another alarming trend in phishing attacks involves JavaScript obfuscation techniques that use invisible Unicode characters. First reported in October 2024, this technique relies on Hangul half-width (U+FFA0) and full-width (U+3164) characters to encode binary values. Attackers convert ASCII characters in JavaScript payloads to these Unicode equivalents, making detection harder.
Juniper Threat Labs found that these attacks were highly personalized and even included non-public information about targets. The JavaScript used in these phishing attempts also contains anti-analysis techniques. If a security researcher tries to debug the script, it detects the delay and redirects to a safe website, preventing detection.
How to Stay Safe
With phishing campaigns growing more sophisticated, users must stay vigilant. Here are some key security tips:
Verify PDF sources: Avoid downloading PDF documents from unknown or suspicious websites.
Beware of fake CAPTCHAs: If a CAPTCHA verification redirects you to an unexpected page, it’s likely a scam.
Avoid clicking unverified links: Do not download files or click on links from untrusted YouTube videos or comments.
Use security tools: Enable endpoint protection and keep antivirus software updated.
Monitor credentials: Use a password manager and enable multi-factor authentication (MFA) to protect sensitive accounts.
Conclusion
The Lumma Stealer phishing campaign highlights the evolving tactics of cybercriminals, combining SEO manipulation, fake CAPTCHAs, and sophisticated malware distribution techniques. As threats become more complex, staying informed and practicing good cybersecurity hygiene is crucial in preventing attacks. Organizations and individuals must remain proactive in defending against these rapidly advancing cyber threats.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : Stealthy Linux Malware ‘Auto-Color’ Grants Hackers Full Remote Access