SoloSecurities: Cybersecurity Consulting & Training
FacebookXRedditPinterestEmail
Cyber Security

Fake CAPTCHA PDFs: How Lumma Stealer Spreads via Webflow, GoDaddy, and Other Domains

3 months ago
Add comment
5 min read

Introduction

In the ever-evolving landscape of cyber threats, attackers continuously refine their tactics to deceive users and bypass security measures. Recently, cybersecurity researchers have uncovered a sophisticated phishing campaign that exploits fake CAPTCHA images embedded in PDF documents. These malicious PDFs, hosted on Webflow’s content delivery network (CDN) and other domains like GoDaddy, Wix, and Fastly, serve as a vector for delivering the Lumma Stealer malware. The campaign has affected thousands of users and organizations worldwide, making it a significant threat in the cybersecurity domain.

The Phishing Campaign

How Attackers Use SEO to Lure Victims

One of the most alarming aspects of this campaign is how attackers leverage Search Engine Optimization (SEO) to manipulate search engine rankings. This tactic ensures that their malicious PDF documents appear as top results for various search queries, thereby increasing the likelihood of unsuspecting users clicking on them.

Netskope Threat Labs identified 260 unique domains hosting approximately 5,000 phishing PDF files. These documents redirect users to malicious websites under the pretext of requiring CAPTCHA verification, a commonly used security feature that users inherently trust.

Target Sectors and Geographic Impact

The campaign has had a widespread impact, affecting more than 1,150 organizations and over 7,000 individuals. The primary targets include:

  • Technology firms
  • Financial service providers
  • Manufacturing companies
  • Individuals across North America, Asia, and Southern Europe

The scale of this attack indicates that cybercriminals are employing highly automated techniques to deploy and distribute these malicious files across multiple platforms.

How the Attack Works

Fake CAPTCHA Pages as an Entry Point

The core deception tactic in this campaign is the use of fake CAPTCHA pages embedded within the PDFs. Instead of serving their intended purpose, these CAPTCHA prompts execute malicious PowerShell scripts when interacted with. This leads to the installation of the Lumma Stealer malware, a well-known infostealer.

Lumma Stealer operates under the Malware-as-a-Service (MaaS) model, where cybercriminals rent access to the malware to steal sensitive data such as:

  • Login credentials
  • Credit card details
  • Browser session cookies
  • System information

Abuse of Trusted Platforms

To enhance credibility, attackers have been seen hosting their malicious PDF documents on legitimate platforms, including:

  • Webflow CDN
  • GoDaddy
  • Strikingly
  • Wix
  • Fastly
  • PDF repositories such as PDFCOFFEE, PDF4PRO, PDFBean, and Internet Archive

Users searching for PDF documents related to various topics are unknowingly redirected to these malicious files, demonstrating how attackers capitalize on trusted hosting providers to bypass security filters.

Additional Attack Vectors

Lumma Stealer Disguised as Popular Software

In addition to using fake CAPTCHA PDFs, threat actors have also disguised Lumma Stealer as:

  • Roblox games
  • Cracked versions of Total Commander (a popular file management tool)

These files are often distributed via YouTube videos uploaded from previously compromised accounts. Cybersecurity firm Silent Push highlighted that cybercriminals use:

  • YouTube comments
  • Video descriptions
  • Embedded links

as channels for spreading infected files.

Connection to the Dark Web and Leaky[.]pro

Recent investigations also reveal that stolen Lumma Stealer logs are being shared for free on the Leaky[.]pro hacking forum, which emerged in late December 2024. This further proves that the campaign is not just about stealing data but also about distributing it to a broader cybercriminal ecosystem.

Advanced Evasion Techniques Used in the Attack

ClickFix Technique

The phishing sites employ a method known as ClickFix, which tricks users into executing an MSHTA command, leading to the execution of a PowerShell script. This script installs Lumma Stealer, giving attackers remote access to infected machines.

Unicode-Based JavaScript Obfuscation

Another technique used in these attacks involves Unicode-based JavaScript obfuscation. Attackers use invisible Unicode characters, such as:

  • Hangul half-width (U+FFA0)
  • Hangul full-width (U+3164)

These characters represent binary values (0 and 1) and allow attackers to disguise JavaScript payloads in phishing emails and web pages.

Protection Against Lumma Stealer and Fake CAPTCHA Attacks

Best Practices for Users

To mitigate the risks of falling victim to this attack, users should follow these best practices:

  1. Verify CAPTCHA Prompts: Legitimate CAPTCHA verifications should not prompt users to download or execute files.
  2. Avoid Downloading Random PDFs: Be cautious when downloading PDFs from unknown sources, especially those found via search engines.
  3. Enable Multi-Factor Authentication (MFA): MFA adds an extra layer of security in case login credentials are compromised.
  4. Use Security Software: Deploying an advanced antivirus and anti-malware solution can help detect and block threats.
  5. Check URLs Before Clicking: Always inspect links before clicking, especially if they redirect you to a CAPTCHA verification page.

Best Practices for Organizations

Organizations should:

  • Implement network security measures to detect and block malicious PowerShell executions.
  • Educate employees on identifying phishing attempts.
  • Monitor web traffic for suspicious domains associated with Webflow, GoDaddy, and similar platforms.

Conclusion

The discovery of fake CAPTCHA PDFs being used to spread Lumma Stealer highlights the evolving sophistication of cyber threats. Cybercriminals continue to refine their techniques, leveraging SEO, trusted hosting platforms, and social engineering to bypass security measures.

Organizations and individuals must remain vigilant and employ robust cybersecurity strategies to counter such threats. Academy by SoloSecurities strongly advises implementing proactive security measures and staying informed about emerging cyber risks. The fight against cybercrime requires a collective effort—awareness and prevention are the keys to staying secure in the digital world.

FAQs

1. What is Lumma Stealer?

Lumma Stealer is an infostealer malware that harvests sensitive information, including login credentials, financial data, and system information, from infected devices.

2. How does the fake CAPTCHA attack work?

Attackers embed fake CAPTCHA images in PDFs hosted on legitimate platforms. When users click on them, malicious PowerShell commands execute, installing Lumma Stealer.

3. How can I protect myself from these attacks?

Avoid downloading random PDFs, verify CAPTCHA prompts, enable MFA, use security software, and inspect links before clicking on them.

4. How widespread is this phishing campaign?

The attack has affected over 1,150 organizations and 7,000 individuals across North America, Asia, and Southern Europe.

5. What role does SEO play in this attack?

Attackers use SEO to ensure their malicious PDFs rank high in search engine results, increasing the chances of victims clicking on them.

SoloSecurities

View all posts

Add comment

You may also like

Follow us

Don't be shy, get in touch. We love meeting interesting people and making new friends.

Most popular

Most discussed