Fake CAPTCHA PDFs Spread Lumma Stealer via Webflow, GoDaddy, and Other Domains thehackernews.com/2025/02/5…

Cybersecurity researchers have uncovered a widespread phishing campaign that uses fake CAPTCHA images shared via PDF documents hosted on Webflow’s content delivery network (CDN) to deliver the Lumma stealer malware.

Netskope Threat Labs said it discovered 260 unique domains hosting 5,000 phishing PDF files that redirect victims to malicious websites.

“The attacker uses SEO to trick victims into visiting the pages by clicking on malicious search engine results,” security researcher Jan Michael Alcantara said in a report shared with The Hacker News.

“While most phishing pages focus on stealing credit card information, some PDF files contain fake CAPTCHAs that trick victims into executing malicious PowerShell commands, ultimately leading to the Lumma Stealer malware.”

The phishing campaign is estimated to have affected more than 1,150 organizations and more than 7,000 users since the second half of 2024, with the attacks primarily singling out victims in North America, Asia, and Southern Europe across technology, financial services, and manufacturing sectors.

Of the 260 domains identified to host the fake PDFs, a majority of them are related to Webflow, followed by those related to GoDaddy, Strikingly, Wix, and Fastly.