Pakistan’s National Computer Emergency Response Team (National CERT) issued a critical advisory on Wednesday, warning about a large-scale phishing campaign that uses fake CAPTCHA images embedded in PDF files to distribute Lumma Stealer malware.
According to the advisory, the phishing attack has already compromised thousands of users, primarily targeting sectors like technology, financial services, and manufacturing. The majority of victims are based in North America, Asia, and Southern Europe.
Cybercriminals involved in this campaign have been manipulating search engine results to distribute malicious PDF files, which appear legitimate. These PDFs contain deceptive CAPTCHA images designed to trick users into clicking a link that redirects them to phishing websites. These websites either harvest sensitive financial data or install the dangerous Lumma Stealer malware.
National CERT confirmed that platforms such as PDFCOFFEE, PDF4PRO, and Internet Archive were used to host the malicious PDFs. The attack relies on search engine optimization techniques, making the links appear legitimate in search results.
Lumma Stealer malware is a Malware-as-a-Service (MaaS) tool that steals login credentials, browser cookies, and cryptocurrency wallet data. The malware also deploys GhostSocks, a proxy malware that exploits the victim’s internet connection, further compromising their security. Stolen data is being sold on underground forums like Leaky[.]pro.
The CERT has identified malicious domains linked to the campaign, including pdf-freefiles[.]com, webflow-docs[.]info, secure-pdfread[.]site, and docsviewing[.]net.
National CERT has recommended several urgent security measures for organizations to mitigate the risks of these attacks. Key recommendations include educating employees about phishing risks, deploying advanced endpoint protection, restricting PowerShell and MSHTA execution, blocking malicious domains, enabling PowerShell logging, and enforcing multi-factor authentication (MFA).
Read more: PTA Confirms Talks with Starlink for Satellite Internet in Pakistan
The advisory highlights the increasing sophistication of cyberattacks and urges businesses to adopt proactive cybersecurity measures. Regular patch management, restricting administrative privileges, and using application whitelisting were also suggested as best practices to bolster security frameworks and prevent data breaches.
Comments are closed, but trackbacks and pingbacks are open.