A recent cybersecurity discovery has revealed a large-scale phishing campaign that exploits fake CAPTCHA images in PDF documents to distribute Lumma Stealer malware. The campaign, identified by Netskope Threat Labs, used 260 unique domains to host over 5,000 malicious PDF files. The files were primarily hosted on Webflow’s content delivery network (CDN) and other services like GoDaddy and Wix. These phishing PDFs were cleverly designed to appear as legitimate documents, luring users through search engine optimization (SEO) techniques, where clicking on malicious search results would redirect victims to sites designed to harvest sensitive information.
The phishing scheme primarily targeted individuals in North America, Asia, and Southern Europe, affecting over 1,150 organizations, particularly in the technology, financial services, and manufacturing sectors. The attackers employed fake CAPTCHA images that served as a conduit to steal credit card details, or, in some cases, triggered the Lumma Stealer malware to be downloaded onto the victims’ systems. This malware then executed malicious PowerShell scripts when users clicked the fraudulent CAPTCHA images, leading to further compromises. Some of the fake PDFs were also uploaded to legitimate online repositories, increasing the likelihood of users downloading the malicious files unknowingly.
The Lumma Stealer malware, which has been active since 2024, is a robust crimeware tool available for purchase through the malware-as-a-service (MaaS) model.
Once installed, the malware can harvest a wide range of sensitive information from the infected system, including login credentials, banking information, and other personally identifiable data. Additionally, Lumma Stealer has integrated with a Golang-based proxy malware called GhostSocks, which enables attackers to use infected devices as a backdoor to bypass geographic and IP restrictions.
This integration provides attackers with greater access to high-value targets, like financial institutions, enhancing the chances of unauthorized access and successful exploitation.
This phishing campaign, along with other forms of malware like Vidar and Atomic macOS Stealer, highlights the increasing sophistication of cybercriminal operations. The attackers are also employing newer techniques, such as using invisible Unicode characters to obfuscate JavaScript payloads, making it harder for traditional security measures to detect and block these attacks. These phishing attacks are personalized, using non-public information to increase their chances of success, and in some cases, attempting to bypass analysis by invoking debugger breakpoints during investigation. The evolving nature of these threats stresses the need for heightened vigilance and advanced protective measures against increasingly sophisticated cybercriminal tactics.
