Pakistan’s National Computer Emergency Response Team (National CERT) issued a warning on Wednesday regarding a large-scale phishing campaign using fake CAPTCHA images embedded in PDF files to spread Lumma Stealer malware.
The attack, which compromised thousands of users, primarily targeted sectors such as technology, financial services, and manufacturing, with most victims based in North America, Asia, and Southern Europe.
National CERT revealed that cybercriminals had been manipulating search engine results to distribute malicious PDFs.
These files contained deceptive CAPTCHA images that encouraged users to click on a link, leading them to phishing websites.
The sites were designed either to harvest sensitive financial data or to install Lumma Stealer malware.
The attackers used platforms such as PDFCOFFEE, PDF4PRO, and Internet Archive to host these PDFs, making them appear legitimate in search engine results.
The advisory noted that Lumma Stealer, a Malware-as-a-Service (MaaS) tool, could steal login credentials, browser cookies, and cryptocurrency wallet data.
The malware also deployed GhostSocks, a proxy malware that exploited victims’ internet connections.
Stolen credentials were being sold on underground forums, including Leaky[.]pro. Malicious domains related to the campaign included pdf-freefiles[.]com, webflow-docs[.]info, secure-pdfread[.]site, and docsviewing[.]net.
National CERT recommended several urgent security measures to mitigate the risk of these attacks.
Organisations were advised to educate employees on phishing risks, deploy advanced endpoint protection, and restrict PowerShell and MSHTA execution.
Blocking malicious domains, enabling PowerShell logging, and enforcing multi-factor authentication (MFA) were also strongly encouraged.
Monitoring search engine results for fraudulent domains impersonating legitimate services was vital.
The advisory underscored the growing sophistication of cyber threats and urged organizations to adopt proactive cybersecurity measures.
Regular patch management, restricting administrative privileges, and using application whitelisting were identified as best practices to strengthen security frameworks and prevent data breaches.
