To distribute the Lumma stealer malware, cybersecurity researchers have discovered a well-known phishing campaign that uses false CAPTCHA images sent via PDF files hosted on Webflow’s content delivery system ( CDN).
According to Netskope Threat Labs, 260 distinct regions host 5, 000 spoofing PDF files that point users to malicious sites.
In a statement shared with The Hacker News, security researcher Jan Michael Alcantara claimed that the intruder “uses SEO to key subjects into visiting the pages by clicking on malignant search engine results.”
While the majority of phishing websites concentrate on stealing credit card data, some PDF files contain false CAPTCHAs that deceive users into performing harmful PowerShell commands, eventually causing Lumma Stealer malware.
Since the second quarter of 2024, the phishing plan has reportedly affected more than 1, 150 businesses and more than 7, 000 users across the manufacturing, technology, and financial services sectors, with the attacks mostly targeting North American, Asia, and Southeastern Europe victims.
The majority of the 260 regions that have been uncovered are , followed by those that are related to GoDaddy, Strikingly, Wix, and Fastly.
Some of the PDF documents have also been discovered as being uploaded to trustworthy online libraries and archives like PDFCOFFEE, PDF4PRO, PDFBean, and Internet Archive, so that people who search for PDF files on seek engines are directed to them.
The Files contain phony CAPTCHA graphics that can be used to take credit card data. Alternately, Lumma Stealer distributions that include graphics that allow users to download the file, which redirects the victim to a malicious website when they click.
The website, for its part, uses the ClickFix method to trick the victim into running an MSHTA command that uses a PowerShell script to execute the stealer malware. It masquerades as a false CAPTCHA verification page on the site.
Lumma Stealer has been duped into Roblox games in recent weeks, highlighting the numerous distribution methods used by several threat actors. Consumers are redirected to these sites by using YouTube videos that are most likely uploaded from formerly compromised accounts.
According to Silent Push,” Malignant links and infected files are frequently disguised in]YouTube movies, comments, or explanations.” When interacting with YouTube articles, especially when asked to get or click on links, using caution and being wary of unverified sources can help guard against these growing threats.
Additionally, the cybersecurity firm discovered that Lumma Stealer logs are being offered for free on a relatively new hacking forum called Leaky [. ] a pro that became operating in late December 2024.
Lumma Stealer is a fully functional crimeware solution that is available for purchase under the malware-as-a-service ( MaaaS ) model, allowing users to get access to a variety of data from compromised Windows hosts. The malware developers made an announcement to integrate with GhostSocks, a Golang-based proxy malware, in the first 2024.
For danger actors, adding a SOCKS5 backconnect feature to already-existing Lumma infections or any other malware for that matter is extremely lucrative, according to Infrawatch.
By utilizing victims ‘ internet connections, intruders can circumvent geographic limitations and IP-based integrity checks, particularly those put in place by financial institutions and other valuable target. This potential significantly increases the success rate of unauthorized access attempts made with credentials obtained from infostealer logs, further enhancing Lumma infections ‘ post-exploitation price.
According to and , stealer malware like and Atomic macOS Stealer ( ) are being distributed using the ClickFix method via lures for the DeepSeek artificial intelligence ( AI ) chatbot.
A Browser obfuscation method, which uses visible Unicode characters to represent binary values, was first discovered in October of this year.
The method involves using Unicode filler characters, particularly Hangul half-width ( U+FFA0 ) and Hangul full-width ( U+3164 ), to represent the binary values 0 and 1, respectively, and converting each ASCII character in the JavaScript payload to their Hangul equivalents.
The attacks were highly personalized, with non-public information included, and the first JavaScript attempted to debug a debugger target if it were being analyzed, detect a postpone, and therefore abort the attack by redirecting to a benign website, according to Juniper Threat Labs.