Netskope Threat Labs reported a phishing campaign leveraging fake CAPTCHA images in PDF files to deceive users searching for PDF documents. The attackers used SEO tactics to lure victims into visiting malicious sites. Over 260 unique domains hosted nearly 5,000 phishing PDF files, impacting over 1,150 organizations across various sectors. Affected: technology, financial services, manufacturing sectors
Keypoints :
- Widespread phishing campaign detected by Netskope Threat Labs on February 12, 2025.
- Attackers utilized fake CAPTCHA images through Webflow CDN to trick victims.
- SEO tactics directed victims to malicious sites disguised as PDF documents.
- 260 unique domains hosting nearly 5,000 phishing PDFs identified.
- Campaign primarily targeted organizations in North America, Asia, and Southern Europe.
- Main sectors affected include technology, financial services, and manufacturing.
- Phishing PDFs used to steal credit card information, some of which led to Lumma Stealer malware delivery.
- Attackers uploaded malicious PDFs to online libraries and repositories.
- Over 4,000 targeted keywords included terms like βpdf,β βfree,β βdownload,β and βprintable.β
- Netskope will continue to monitor phishing techniques targeting PDFs and users.
MITRE Techniques :
- Phishing (T1566) β Attackers used phishing PDF files with fake CAPTCHA to trick the target into providing credit card information.
- Command and Control (T1071) β Executed PowerShell commands via malicious PDF, facilitating download and execution of Lumma Stealer.
- Scripting (T1064) β PowerShell commands were run to deliver the Lumma Stealer malware.
Indicator of Compromise :
- [Domain] webflow[. ]com
- [Domain] godaddy[. ]com
- [Domain] strikingly[. ]com
- [Domain] wix[. ]com
- [Domain] fastly[. ]com
Full Story: https://www.netskope.com/blog/fake-captchas-malicious-pdfs-seo-traps-leveraged-for-user-manual-searches