Cybersecurity specialists have identified a widespread phishing campaign leveraging deceptive CAPTCHA images embedded within PDF documents hosted on Webflow’s content delivery network (CDN) to deploy the Lumma stealer malware.
Analysts at Netskope Threat Labs uncovered an alarming 260 distinct domains harboring approximately 5,000 phishing PDFs, which serve as gateways to malicious web destinations.
“Whereas many phishing pages aim to pilfer credit card details, certain PDFs incorporate falsified CAPTCHAs that lure victims into executing obfuscated PowerShell commands, culminating in the execution of the Lumma Stealer malware.”
This phishing onslaught has reportedly impacted over 1,150 enterprises and compromised more than 7,000 individual users since mid-2024. The campaign exhibits a strong predilection for victims situated in North America, Asia, and Southern Europe, particularly targeting entities in the technology, financial services, and manufacturing sectors.
Among the 260 domains flagged for disseminating these counterfeit PDFs, a considerable portion is affiliated with Webflow, followed by platforms such as GoDaddy, Strikingly, Wix, and Fastly.
Further analysis indicates that adversaries have uploaded select PDF files to legitimate digital repositories, including PDFCOFFEE, PDF4PRO, PDFBean, and the Internet Archive, thereby ensuring that unsuspecting individuals searching for PDF documents via search engines inadvertently encounter these malicious files.
These compromised PDFs deploy fraudulent CAPTCHA visuals as a decoy for illicit credential harvesting. Alternatively, those weaponized for distributing the Lumma Stealer contain deceptive download prompts that, upon interaction, redirect victims to nefarious web pages.
Upon redirection, users are met with a counterfeit CAPTCHA verification interface employing the ClickFix technique—an adversarial stratagem designed to trick victims into executing an MSHTA command, which subsequently invokes a PowerShell script to deploy the stealer malware.
In recent incidents, Lumma Stealer has also been clandestinely repackaged as counterfeit Roblox game downloads and a pirated iteration of the Total Commander file management tool for Windows. This tactic underscores the adversary’s evolving methodologies, utilizing a myriad of distribution mechanisms. Victims are frequently lured to these sites through YouTube videos, potentially uploaded from previously hijacked accounts.
“Malicious hyperlinks and compromised files are often surreptitiously embedded within YouTube videos, comment sections, or descriptions,” noted cybersecurity firm Silent Push. “Exercising vigilance and skepticism when engaging with unverified online sources—particularly those prompting downloads or link interactions—can mitigate exposure to these insidious threats.”
Further investigation reveals that stolen credentials harvested via Lumma Stealer logs are being circulated gratis on a nascent hacking forum, Leaky[.]pro, which emerged in late December 2024.
Lumma Stealer, a sophisticated crimeware-as-a-service (CaaS) solution, is marketed under the malware-as-a-service (MaaS) business model, enabling cybercriminals to extract a broad spectrum of sensitive data from compromised Windows endpoints. Notably, in early 2024, its developers announced an integration with GhostSocks, a proxy malware engineered in Golang.
“The inclusion of a SOCKS5 backconnect feature in Lumma infections—or any similar malware—presents lucrative opportunities for cyber adversaries,” stated security analysts at Infrawatch.
“By covertly exploiting victims’ internet connections, attackers can circumvent geographical access constraints and integrity checks based on IP addresses. This is particularly valuable in bypassing security mechanisms enforced by financial institutions and other high-value entities. The integration of such capabilities amplifies the effectiveness of credential theft, augmenting the post-exploitation utility of Lumma infections.”
These revelations coincide with escalating activity surrounding stealer malware such as Vidar and Atomic macOS Stealer (AMOS), both of which are now being disseminated using the ClickFix methodology, frequently masquerading as downloads for the DeepSeek artificial intelligence (AI) chatbot, according to intelligence reports from Zscaler ThreatLabz and eSentire.
Additionally, cybersecurity researchers have detected phishing campaigns employing an advanced JavaScript obfuscation tactic that leverages invisible Unicode characters to encode binary data—an approach initially documented in October 2024.
This technique manipulates Unicode filler characters, specifically the Hangul half-width (U+FFA0) and Hangul full-width (U+3164), to symbolize binary digits 0 and 1, respectively. Each ASCII character within the JavaScript payload is transmuted into its Hangul-coded counterpart, thereby obfuscating malicious scripts.
“These attacks exhibit an unprecedented degree of personalization, often incorporating non-public information,” Juniper Threat Labs disclosed. “Furthermore, the initial JavaScript payload is engineered to invoke a debugger breakpoint during analysis. If it detects scrutiny, it introduces a delay before aborting execution entirely, redirecting the victim to an innocuous website.”
These discoveries underscore the ever-evolving landscape of cyber threats, emphasizing the imperative for organizations and individuals alike to adopt robust security postures to mitigate exposure to these sophisticated phishing tactics and malware campaigns.
