The National Computer Emergency Response Team (National CERT) has issued a critical advisory warning organizations and individuals about a widespread phishing campaign that leverages fake CAPTCHA images in malicious PDF files to deploy the Lumma Stealer malware. This cyberattack has compromised thousands of users across multiple industries, particularly in technology, financial services, and manufacturing, with its primary targets in North America, Asia, and Southern Europe.
According to National CERT, cybercriminals are manipulating search engine results to distribute infected PDFs, making them appear as legitimate documents hosted on platforms such as PDFCOFFEE, PDF4PRO, and Internet Archive. These seemingly trustworthy sources lure victims into downloading malicious files that, once opened, present a fake CAPTCHA image. The image prompts users to click a link, leading them to phishing websites designed to either steal sensitive financial information or execute PowerShell scripts via MSHTA commands to install the Lumma Stealer malware covertly.
Lumma Stealer is a sophisticated Malware-as-a-Service (MaaS) tool designed to extract login credentials, browser cookies, and cryptocurrency wallet data from infected devices. In addition to this, it deploys GhostSocks, a proxy malware that hijacks victims’ internet connections, potentially enabling further cyberattacks. Stolen credentials harvested through these means are reportedly being sold on underground cybercrime forums, such as Leaky[.]pro. The advisory has also identified multiple malicious domains linked to the attack, including pdf-freefiles[.]com, webflow-docs[.]info, secure-pdfread[.]site, and docsviewing[.]net.
The increasing sophistication of such cyber threats underscores the need for organizations to adopt a proactive security approach. National CERT has recommended several immediate countermeasures to mitigate the risks associated with this attack. These include raising employee awareness about phishing risks, deploying advanced endpoint security solutions, and enforcing restrictions on PowerShell and MSHTA execution. Additionally, organizations are urged to block known malicious domains, enable PowerShell logging for early threat detection, and enforce multi-factor authentication (MFA) to prevent unauthorized access in case credentials are compromised.
Another key security measure emphasized in the advisory is monitoring search engine results for fraudulent domains masquerading as legitimate services. Cybercriminals are increasingly using SEO poisoning techniques to push malicious links higher in search rankings, making it easier for unsuspecting users to download compromised files. Organizations must also enforce best practices such as regular patch management, restricting administrative privileges, and implementing application whitelisting to prevent unauthorized software execution.
The advisory serves as a reminder that cybercriminals are continuously refining their tactics to evade detection and exploit vulnerabilities. Fake CAPTCHA prompts, once a tool to prevent bots, are now being weaponized as a social engineering tactic to trick users into clicking malicious links. As cyber threats evolve, businesses and individuals must remain vigilant, ensuring that their cybersecurity frameworks are regularly updated to counter emerging risks.
With cyberattacks becoming more targeted and deceptive, organizations must not only respond to threats but also anticipate them. Strengthening defenses through employee training, adopting robust security solutions, and implementing stringent access controls will be crucial in minimizing the impact of such large-scale phishing campaigns. The National CERT’s warning highlights the growing need for cybersecurity awareness and preparedness, urging businesses to stay one step ahead of threat actors in an increasingly hostile digital landscape.
