The National Computer Emergency Response Team (National CERT) has issued an advisory warning against a phishing campaign that uses fake CAPTCHA images in PDF files to spread Lumma Stealer malware.
The large-scale attack compromised thousands of users across the technology, financial services, and manufacturing sectors, primarily in North America, Asia, and Southern Europe.
Cybercriminals are using search engine manipulation to distribute these malicious PDFs, which redirect victims to fraudulent sites designed to steal financial information or install malware.
According to the advisory, the attack relies on PDF files containing deceptive CAPTCHA images that prompt users to click on a link, leading them to phishing websites. These sites either harvest sensitive financial data or exploit PowerShell scripts through MSHTA commands to install the Lumma Stealer malware silently. The attackers are hosting these PDFs on platforms like PDFCOFFEE, PDF4PRO, and Internet Archive, making them appear credible in search engine results.
Lumma Stealer is a Malware-as-a-Service (MaaS) tool capable of stealing login credentials, browser cookies, and cryptocurrency wallet data. It also deploys GhostSocks, a proxy malware that exploits victims’ internet connections. Stolen credentials are being sold on underground forums like Leaky[.]pro. Malicious domains associated with the campaign include pdf-freefiles[.]com, webflow-docs[.]info, secure-pdfread[.]site, and docsviewing[.]net.
National CERT has recommended immediate security measures, including educating employees on phishing risks, deploying advanced endpoint protection, and restricting PowerShell and MSHTA execution. Organizations are also advised to block malicious domains, enable PowerShell logging, and enforce multi-factor authentication (MFA) to mitigate the risk of credential theft. Monitoring search engine results for fraudulent domains impersonating legitimate services is also essential.
The advisory stresses the growing sophistication of cyber threats, urging organizations to adopt proactive cybersecurity measures. Best practices include regular patch management, restricting administrative privileges, and using application whitelisting. As attackers continue to refine their methods, staying vigilant and strengthening security frameworks is critical to preventing large-scale data breaches.
The post NCERT Warns Against Hackers Using Fake CAPTCHA, PDF Files to Inject Malware appeared first on ProPakistani.