Cybersecurity researchers have uncovered a widespread phishing campaign that uses fake CAPTCHA images shared via PDF documents hosted on Webflow’s content delivery network (CDN) to deliver the Lumma stealer malware.
Netskope Threat Labs said it discovered 260 unique domains hosting 5,000 phishing PDF files that redirect victims to malicious websites.
“The attacker uses SEO to trick victims into visiting the pages by clicking on malicious search engine results,” security researcher Jan Michael Alcantara said in a report shared with The Hacker News.
“While most phishing pages focus on stealing credit card information, some PDF files contain fake CAPTCHAs that trick victims into executing malicious PowerShell commands, ultimately leading to the Lumma Stealer malware.”
The phishing campaign is estimated to have affected more than 1,150 organizations and more than 7,000 users since the second half of 2024, with the attacks primarily singling out victims in North America, Asia, and Southern Europe across technology, financial services, and manufacturing sectors.
Of the 260 domains identified to host the fake PDFs, a majority of them are related to Webflow, followed by those related to GoDaddy, Strikingly, Wix, and Fastly.
Attackers have also been observed uploading some of the PDF files to legitimate online libraries and PDF repositories like PDFCOFFEE, PDF4PRO, PDFBean, and Internet Archive, such that users searching for PDF documents on search engines are directed to them.
The PDFs contain fraudulent CAPTCHA images that act as a conduit to steal credit card information. Alternatively, those distributing Lumma Stealer contain images to download the document that, when clicked, takes the victim to a malicious site.
For its part, the site masquerades as a fake CAPTCHA verification page that employs the ClickFix technique to deceive the victim into running an MSHTA command that executes the stealer malware by means of a PowerShell script.
In recent weeks, Lumma Stealer has also been disguised as Roblox games and a cracked version of the Total Commander tool for Windows, highlighting the myriad delivery mechanisms adopted by various threat actors. Users are redirected to these websites through YouTube videos likely uploaded from previously compromised accounts.
“Malicious links and infected files are often disguised in [YouTube] videos, comments, or descriptions,” Silent Push said. “Exercising caution and being skeptical of unverified sources when interacting with YouTube content, especially when prompted to download or click on links, can help protect against these growing threats.”
The cybersecurity company further found that Lumma Stealer logs are being shared for free on a relatively new hacking forum called Leaky[.]pro that went operational in late December 2024.
Lumma Stealer is a fully-featured crimeware solution that’s offered for sale under the malware-as-a-service (MaaS) model, giving a way for cybercriminals to harvest a wide range of information from compromised Windows hosts. In early 2024, the malware operators announced an integration with a Golang-based proxy malware named GhostSocks.
“The addition of a SOCKS5 backconnect feature to existing Lumma infections, or any malware for that matter, is highly lucrative for threat actors,” Infrawatch said.
“By leveraging victims’ internet connections, attackers can bypass geographic restrictions and IP-based integrity checks, particularly those enforced by financial institutions and other high-value targets. This capability significantly increases the probability of success for unauthorized access attempts using credentials harvested via infostealer logs, further enhancing the post-exploitation value of Lumma infections.”
The disclosures come as stealer malware like Vidar and Atomic macOS Stealer (AMOS) are being distributed using the ClickFix method via lures for the DeepSeek artificial intelligence (AI) chatbot, according to Zscaler ThreatLabz and eSentire.
Phishing attacks have also been spotted abusing a JavaScript obfuscation method that uses invisible Unicode characters to represent binary values, a technique that was first documented in October 2024.
The approach entails making use of Unicode filler characters, specifically Hangul half-width (U+FFA0) and Hangul full-width (U+3164), to represent the binary values 0 and 1, respectively, and converting each ASCII character in the JavaScript payload to their Hangul equivalents.
“The attacks were highly personalized, including non-public information, and the initial JavaScript would try to invoke a debugger breakpoint if it were being analyzed, detect a delay, and then abort the attack by redirecting to a benign website,” Juniper Threat Labs said.
