Security researchers have uncovered a widespread phishing campaign that is distributing the Lumma stealer malware using fake CAPTCHA images within PDF documents. These PDFs are designed to trick users into executing malicious PowerShell commands and have been found to be hosted across various platforms including Webflow, GoDaddy, among others. Netskope Threat Labs discovered 260 unique domains hosting approximately 5,000 phishing PDFs, impacting over 1,150 organizations and 7,000 users primarily in North America, Asia, and Southern Europe.
Attackers are leveraging SEO techniques to direct victims to malicious websites via search engine results. Most of these phishing pages aim to steal credit card information, while some deliver the Lumma stealer through fake CAPTCHA verification pages using the ClickFix technique. This method deceives users into running MSHTA commands that execute a PowerShell script, installing the malware. Additionally, attackers have uploaded these PDFs to legitimate online libraries and PDF repositories, increasing their reach.
Lumma Stealer is a malware-as-a-service used to harvest various data from compromised Windows systems. Malicious actors have started disguising it as it as Roblox games and cracked software in their recent campaigns have disguised, spreading it through YouTube videos from compromised accounts. The malware now includes a SOCKS5 backconnect feature, enhancing its post-exploitation capabilities by allowing attackers to bypass geographic restrictions and IP-based checks.
Other stealer malware, like Vidar and AMOS, are also using the ClickFix method, disguised as DeepSeek AI chatbot lures. Furthermore, phishing attacks are employing JavaScript obfuscation with invisible Unicode characters to bypass detection. These personalized attacks use debugger breakpoints and delay detection to evade analysis. The Lumma Stealer logs are even being shared on a new hacking forum, Leaky[.]pro, highlighting the increased accessibility and distribution of stolen information.
