Pakistan’s National CERT has warned about a widespread phishing campaign that uses fake CAPTCHA images embedded in PDF files to distribute Lumma Stealer malware. This attack has compromised thousands of users, mainly targeting the technology, financial services, and manufacturing sectors, with most victims located in North America, Asia, and Southern Europe.
According to the advisory, cybercriminals are manipulating search engine results to promote these malicious PDFs. The deceptive files display counterfeit CAPTCHA images that lure users into clicking a link, which then directs them to phishing websites. These sites are crafted to either steal sensitive financial data or install Lumma Stealer malware on victims’ devices.
Read more: Cyberattack on Senegal government websites
The attackers are hosting these PDFs on platforms like PDFCOFFEE, PDF4PRO, and Internet Archive, which helps the files appear legitimate in search results. Lumma Stealer, which is offered as a Malware-as-a-Service (MaaS) tool, is capable of stealing login credentials, browser cookies, and cryptocurrency wallet data. In addition, the malware deploys GhostSocks—a proxy malware that exploits victims’ internet connections.
Stolen credentials are reportedly being sold on underground forums, including one known as Leaky[.]pro. Malicious domains linked to this campaign include pdf-freefiles[.]com, webflow-docs[.]info, secure-pdfread[.]site, and docsviewing[.]net.
To counter these threats, National CERT has urged organizations to implement several urgent security measures. These include educating employees about phishing risks, deploying advanced endpoint protection, and restricting the use of PowerShell and MSHTA. Other recommended actions are blocking malicious domains, enabling PowerShell logging, enforcing multi-factor authentication (MFA), and closely monitoring search engine results for fraudulent domains impersonating legitimate services.
The advisory emphasizes the increasing sophistication of cyber threats and the need for proactive cybersecurity practices, such as regular patch management, limiting administrative privileges, and employing application whitelisting to prevent data breaches.
