Massive phishing campaign taps bogus CAPTCHA PDFs to spread Lumma Stealer

More than 1,150 organizations and over 7,000 users primarily in North America, Southern Europe, and Asia — particularly those in the technology, manufacturing, and financial services industries — have been compromised with the Lumma Stealer as part of a widespread phishing campaign involving almost 5,000 malicious PDF files containing phony CAPTCHA images since the last six months of 2024, according to The Hacker News.

Intrusions entailed the exploitation of search engine optimization to lure victims into downloading PDFs — most of which are hosted on Webflow's content delivery network — that contain fake CAPTCHA images leading to illicit PowerShell command execution and the eventual deployment of Lumma Stealer, a report from Netskope Threat Labs revealed. Such a development comes as Lumma Stealer has been recently spread via bogus Roblox games and a trojanized pirated Windows Total Commander tool promoted by hijacked YouTube accounts. "Exercising caution and being skeptical of unverified sources when interacting with YouTube content, especially when prompted to download or click on links, can help protect against these growing threats," said threat intelligence solution provider Silent Push.