Cybersecurity researchers have discovered a wide phishing campaign that uses fake CAPTCHA images that are divided through PDF -documents located on the Webflow content delivery (CDN) to deliver malicious Lumma software.
Netskope laboratory threatened that it had revealed 260 unique domains that conduct 5000 PDF phishing files that redirect victims to malicious sites.
“The attacker uses SEO to trick the victims to visit pages by clicking on the results of the malicious search engine,” security researcher Jan Michael Alcantar – Note In a report that shared with Hacker News.
“While most phishing pages focus on the theft of credit card information, some PDF files contain fake capes that deceive the victims in the malicious PowerShell commands, eventually leading to lumma malicious software.”
The phishing campaign estimates affected more than 1,150 organizations and more than 7,000 users from the second half of 2024, and the attacks primarily allocate victims in North America, Asia and Southern Europe on technology, financial services and production sectors.
With 260 domains found for the placement of fake PDF, most of them have related to WebflowIt follows those related to Godaddy, amazing, Wix and fast.
The attackers also observed the download of some PDF files to the legal online libraries and PDF repositors such as PDFCOFFEE, PDF4PRO, PDFBEAN and Internet -Archives, so users looking for PDF documents in search engines aimed at them.
PDFs contain fraudulent CAPTCHA images that act as a pipeline for theft of credit card information. In addition, those who distribute the theft of Lumma contain images to download the document that, when pressed, accepts the victim on the malicious site.
For its part, the site masks as a fake CAPTCHA checking page that uses Technique Clickfix To trick the victim to execute the MSHTA team, which performs malware for theft using the PowerShell script.
In recent weeks, Lumma Stealer has been mask As the Roblox Games and the hacked version of Total Commander Tool for Windows, emphasizing many delivery mechanisms taken by various threat subjects. Users are redirected to these websites via YouTube videos are probably loaded with previously disturbed accounts.
“Malicious links and infected files are often masked in (video, comments or descriptions on YouTube,” silent Push – Note. “Care and skeptical of unverified sources when interacting with YouTube content, especially when offered to download or click on links, can help protect against these growing threats.”
Cybersecurity company also found that Lumma Ctyler magazines are divided free of charge into a relatively new hacking forum called Stealy () PRO, which were put into operation at the end of December 2024.
Lumma theft A perfectly well -thought -out solution for criminal security This is offered for sale within the malicious software model (MAAS), which gives an opportunity to gather a wide range of information from compromised Windows hosts. In the beginning of 2024, malware operators announced integration with proxy with Golang-based GHostsocks.
“Adding a Backconnect Socks5 feature to existing – Note.
“Using the Internet communication of the victims, attackers can bypass geographical restrictions and verification based on IP, especially those performed by financial institutions and other highly valuable goals. This ability greatly increases the likelihood of success for unauthorized access attempts using the Infosteeral credentials. Lumma.
Disclosure of information come as malicious software for theft Visor and atomic theft MacOS (Amos) distributed using the clickfix method through bait for artificial intelligence (AI) Deepseek (AI), according to Zscaler Exharmlabz and free.
Physhing attacks were also noticed by abuse of the JavaScript Watch Method, which uses invisible Unicode characters to present binary values that was the technique that was First documented In October 2024.
The approach entails the use of the Unicode filler characters, in particular half the width (U+FFA0) and the full width of Hangul (U+3164) to present binary values 0 and 1 respectively and transforming each ascii character into the HavaScript’s main load into its equivalents Hangul.
“The attacks were very individual – Note.
