Fake CAPTCHA PDFs are being used to spread Lumma Stealer malware through phishing campaigns. Researchers have found 260 domains hosting 5,000 malicious PDFs. These files redirect victims to dangerous websites, where attackers steal data or install malware.
Cybercriminals use SEO techniques to make their malicious pages appear in search engine results. Many victims unknowingly click these links, believing they are downloading legitimate PDFs. However, some of these documents contain fake CAPTCHA images designed to trick users into running harmful PowerShell commands.
Reports indicate that over 7,000 users from 1,150 organizations have been affected since mid-2024. The primary targets are in North America, Asia, and Southern Europe, especially in the tech, financial, and manufacturing industries. Attackers host fake PDFs on platforms like Webflow, GoDaddy, Strikingly, and Wix. They also upload files to online libraries, making them more likely to appear in search results.
How the Attack Works
Victims searching for PDFs online may land on phishing pages containing fake CAPTCHA images. Clicking these images redirects them to malware-hosting sites. The malicious page tricks users into running an MSHTA command, executing Lumma Stealer via a PowerShell script.
Recently, hackers have also disguised Lumma Stealer as Roblox games and cracked software. These files are promoted through YouTube videos, often uploaded from compromised accounts. Attackers embed malicious links in video descriptions and comments, further spreading the malware.
Researchers also discovered that stolen data logs from Lumma Stealer are being shared for free on underground forums. Cybercriminals use this information to compromise user accounts, steal financial data, and bypass security restrictions.
Preventing Lumma Stealer Infections
To stay safe, avoid downloading PDFs from untrusted sources. Always verify file origins before clicking any links, especially those requiring CAPTCHA verification. Additionally, keep antivirus software updated and enable browser security settings to block suspicious sites. Staying alert and practicing cybersecurity awareness can prevent these attacks.
Sleep well, we got you covered.
