Cybersecurity researchers have uncovered a large-scale phishing campaign leveraging fake CAPTCHA images embedded in PDF documents hosted on Webflow’s content delivery network (CDN).

Netskope Threat Labs identified 260 unique domains distributing 5,000 phishing PDFs, tricking users into visiting malicious websites. Attackers use SEO tactics to lure victims through search engine results, with some PDFs aiming to steal credit card information, while others execute malicious PowerShell commands to deliver the Lumma Stealer malware. Since mid-2024, the campaign has impacted over 1,150 organizations and 7,000 users, primarily targeting North America, Asia, and Southern Europe across industries like technology, finance, and manufacturing.

The attack infrastructure extends beyond Webflow, with phishing PDFs also appearing on GoDaddy, Strikingly, Wix, and Fastly. Some files are uploaded to legitimate online libraries and repositories, making them accessible via search engines. Victims are often deceived by fraudulent CAPTCHA images, which, when clicked, either steal financial information or redirect them to fake verification pages that trigger malware downloads. The Lumma Stealer malware has also been distributed through deceptive YouTube videos, masquerading as Roblox games or cracked software, exposing users to further threats. The stolen data is later shared on hacking forums like Leaky[.]pro, where cybercriminals trade compromised credentials and access logs.

Lumma Stealer is a malware-as-a-service (MaaS) tool designed to extract sensitive data from Windows hosts, recently integrating with the Golang-based proxy malware GhostSocks. This enhancement allows attackers to exploit victims’ internet connections, bypassing geographic restrictions and IP security measures, making financial institutions and high-value targets more vulnerable. Meanwhile, other infostealers like Vidar and Atomic macOS Stealer (AMOS) are being distributed through similar tactics, including the ClickFix method. Additionally, researchers have observed JavaScript-based phishing attacks using invisible Unicode characters to bypass detection. These evolving threats underscore the increasing sophistication of cybercriminal tactics, emphasizing the need for heightened vigilance against deceptive online content.