A recent cybersecurity investigation has exposed a large-scale phishing operation that employs fake CAPTCHA images embedded in PDF documents. These documents, hosted on Webflow's content delivery network (CDN), are used to deploy the Lumma Stealer malware.

Phishing Campaign Details

Netskope Threat Labs identified 260 unique domains hosting over 5,000 phishing PDFs that redirect unsuspecting users to harmful websites. The attackers leverage search engine optimization (SEO) techniques to lure victims into clicking on malicious search results.

Targeted Sectors and Regions

The campaign has impacted more than 1,150 organizations and over 7,000 users since mid-2024. The primary targets are located in North America, Asia, and Southern Europe, particularly within the technology, financial services, and manufacturing sectors.

  • Webflow Dominance: Most domains hosting these fake PDFs are associated with Webflow, followed by GoDaddy, Strikingly, Wix, and Fastly.
  • PDF Repository Exploitation: Attackers have uploaded some PDFs to legitimate online libraries and repositories like PDFCOFFEE, PDF4PRO, PDFBean, and Internet Archive.

Malware Distribution Techniques

The PDFs contain deceptive CAPTCHA images designed to steal credit card information. Alternatively, PDFs distributing Lumma Stealer include images that, when clicked, redirect users to malicious sites.

ClickFix Technique

The fake CAPTCHA pages use the ClickFix method, tricking users into executing an MSHTA command that runs a PowerShell script to install the Lumma Stealer malware.

Recently, Lumma Stealer has also been disguised as Roblox games and a cracked version of Total Commander for Windows. Users are often redirected to these sites via YouTube videos uploaded from compromised accounts.

Broader Implications and Threats

Lumma Stealer logs are being shared for free on a new hacking forum called Leaky[.]pro, which became active in late December 2024. The malware is offered as a crimeware solution under the malware-as-a-service (MaaS) model, enabling the extraction of extensive data from compromised Windows systems.

Advanced Features

In early 2024, Lumma Stealer integrated with a Golang-based proxy malware named GhostSocks. This integration includes a SOCKS5 backconnect feature, allowing attackers to bypass geographic restrictions and IP-based checks, particularly those enforced by financial institutions.

Other stealer malware, such as Vidar and Atomic macOS Stealer (AMOS), are also being distributed using the ClickFix method through DeepSeek AI chatbot lures.

Emerging Phishing Techniques

Phishing attacks have been observed utilizing a JavaScript obfuscation method involving invisible Unicode characters to represent binary values. This technique, first documented in October 2024, uses Hangul half-width (U+FFA0) and Hangul full-width (U+3164) characters for binary representation.

The attacks are highly personalized, incorporating non-public information. The initial JavaScript attempts to invoke a debugger breakpoint during analysis, and if detected, redirects to a benign website.

The link has been copied!