CyberSecurityBoard
Sponsor Register Login

260 Domains Hosting 5,000 Weaponized PDF Files Attacking Users

Since late 2024, a sophisticated phishing operation leveraging 260 domains to host over 5,000 weaponized PDF files has targeted users across North America, Asia, and Southern Europe. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Sector-specific targeting prioritized technology firms (34%), financial institutions (28%), and manufacturing entities (19%), likely due to their access to proprietary data and payment systems. Unlike legitimate CAPTCHAs, these images contain hyperlinks masked as validation checks, routing victims to credential-harvesting sites or triggering malware downloads. The campaign’s infrastructure spans 260 domains, including PDF repositories like PDFCoffee and Internet Archive, broadening its reach to users searching within document libraries. Kaaviya is a Security Editor and fellow reporter with Cyber Security News. As phishing tactics grow more sophisticated, proactive threat hunting and cross-industry collaboration remain critical to disrupting the cybercrime lifecycle. Discovered by Netskope Threat Labs, the campaign begins when victims search for documents like user manuals, templates, or forms on search engines. Webflow’s CDN (assets.website-files[.]com) emerged as the primary host, accounting for 42% of phishing PDFs, followed by GoDaddy-associated subdomains. These PDFs embed fake CAPTCHA verification screens that redirect users to phishing pages. “The MSHTA command downloads the next stage PowerShell script, which downloads and executes the Lumma Stealer malware”, researchers said. The malware employs Process Hollowing to inject malicious code into legitimate executables, evading endpoint detection. She is covering various cyber security incidents happening in the Cyber Space. The attacks have impacted 1,150 organizations and 7,000 individuals, with technology, financial services, and manufacturing sectors being the most affected. In a subset of attacks, clicking the CAPTCHA copies obfuscated PowerShell code to the victim’s clipboard.

This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 28 Feb 2025 08:20:20 +0000


Cyber News related to 260 Domains Hosting 5,000 Weaponized PDF Files Attacking Users

Toward Ending the Domain Wars: Early Detection of Malicious Stockpiled Domains - The two main advantages of detecting stockpiled domains are expanding coverage of malicious domains and providing patient-zero detections as attackers stock up on domains for future use. As of July 2023, our detection pipeline has found 1,114,499 ...
1 year ago Unit42.paloaltonetworks.com
260 Domains Hosting 5,000 Weaponized PDF Files Attacking Users - Since late 2024, a sophisticated phishing operation leveraging 260 domains to host over 5,000 weaponized PDF files has targeted users across North America, Asia, and Southern Europe. Cyber Security News is a Dedicated News Platform For Cyber News, ...
1 month ago Cybersecuritynews.com
InfectedSlurs Botnet Spreads Mirai via Zero-Days - The payload targets routers and network video recorder devices with default admin credentials and installs Mirai variants when successful. Until November 9, 2023, the vulnerable devices being targeted were unknown. Since both the name and the version ...
1 year ago Akamai.com
Meet Ika & Sal: The Bulletproof Hosting Duo from Hell - In 2020, the United States brought charges against four men accused of building a bulletproof hosting empire that once dominated the Russian cybercrime industry and supported multiple organized cybercrime groups. The Spamdot admins went by the ...
1 year ago Krebsonsecurity.com
Cloudflare loses 22% of its domains in Freenom.tk shutdown - A staggering 12.6 million domains on TLDs controlled by Freenom have been shut down and no longer resolve, leading to a significant reduction in the number of websites hosted by Cloudflare. The disappearance of these websites was spotted during our ...
1 year ago Netcraft.com
Researchers Hunted Malicious Stockpiled Domains DNS Records - Malicious stockpiled domains are the collection of domain names that threat actors acquire in advance for several types of future malicious activities like:-. While all these domains are often kept unused initially to evade detection, and then later ...
1 year ago Cybersecuritynews.com
Imperva Client-Side Protection Mitigates the Polyfill Supply Chain Attack - The recent discovery of a website supply chain attack using the cdn. Polyfill.io domain has left many websites vulnerable to malicious code injection. Once a trusted resource for adding JavaScript polyfills to websites, the domain has recently become ...
9 months ago Imperva.com
Hunting for malicious domains with VT Intelligence ~ VirusTotal Blog - Please note that this blogpost is part of our #VTMondays series, check out our collection of past publications here. Many cyberattacks begin by victims visiting compromised websites that host malware or phishing scams, threat actors use domains for ...
1 year ago Blog.virustotal.com
CVE-2020-25600 - An issue was discovered in Xen through 4.14.x. Out of bounds event channels are available to 32-bit x86 domains. The so called 2-level event channel model imposes different limits on the number of usable event channels for 32-bit x86 domains vs ...
2 years ago
AsyncRAT Loader Delivers Malware via JavaScript - For at least 11 months, this threat actor has been working on delivering the Remote Access Trojan through an initial JavaScript file, embedded in a phishing page. After more than 300 samples and over 100 domains later, the threat actor is persistent ...
1 year ago Cybersecurity-insiders.com
The age of weaponized LLMs is here - It's exactly what one researcher, Julian Hazell, was able to simulate, adding to a collection of studies that, altogether, signify a seismic shift in cyber threats: the era of weaponized LLMs is here. The research all adds up to one thing: LLMs are ...
1 year ago Venturebeat.com
CVE-2021-20698 - Sharp NEC Displays (UN462A R1.300 and prior to it, UN462VA R1.300 and prior to it, UN492S R1.300 and prior to it, UN492VS R1.300 and prior to it, UN552A R1.300 and prior to it, UN552S R1.300 and prior to it, UN552VS R1.300 and prior to it, UN552 ...
2 years ago
CVE-2021-20699 - Sharp NEC Displays ((UN462A R1.300 and prior to it, UN462VA R1.300 and prior to it, UN492S R1.300 and prior to it, UN492VS R1.300 and prior to it, UN552A R1.300 and prior to it, UN552S R1.300 and prior to it, UN552VS R1.300 and prior to it, UN552 ...
2 years ago
The Persistent Danger of Remcos RAT - From initial infection to persistent control, the Remcos RAT campaign exemplifies the evolving nature of cyber threats and the need for proactive defense measures. This ecosystem is supported by a diverse array of servers that function as command and ...
1 year ago Cyberdefensemagazine.com
Weaponized PDF Documents Deliver Lumma InfoStealer Attacking Educational Institutions - Security analysts at Cloudsek noted that the malware employs advanced evasion techniques like obfuscated scripts and encrypted communications with Command-and-Control (C2) servers. This sophisticated campaign exploits malicious LNK (shortcut) files ...
2 months ago Cybersecuritynews.com
Spooky action: Phantom domains create hijackable hyperlinks - Links to phantom domains don’t pose an inherent risk — so long as companies ensure they review websites for misspelled URLs and remove any placeholder links, hijacked hyperlinks are impossible. From an education standpoint, enterprises ...
6 months ago Securityintelligence.com
Samsung Galaxy S23 hacked twice on first day of Pwn2Own Toronto - Security researchers hacked the Samsung Galaxy S23 twice during the first day of the consumer-focused Pwn2Own 2023 hacking contest in Toronto, Canada. They also demoed exploits and vulnerability chains targeting zero-days in Xiaomi's 13 Pro ...
1 year ago Bleepingcomputer.com
Detectify platform enhancements address growing attack surface complexity - Detectify announced a new Domains page and major improvements to existing capabilities for setting custom attack surface policies. These updates bring control over attack surface data and enable organizations to seamlessly configure alerts for policy ...
10 months ago Helpnetsecurity.com
CVE-2018-18689 - The Portable Document Format (PDF) specification does not provide any information regarding the concrete procedure of how to validate signatures. Consequently, a Signature Wrapping vulnerability exists in multiple products. An attacker can use ...
4 years ago
Microsoft Edge to Use Adobe Acrobats PDF Rendering Technology - Microsoft and Adobe have joined forces to incorporate Adobe Acrobat's PDF rendering engine directly into the Edge browser, replacing the existing PDF engine. Starting in March 2023, new versions of Microsoft Edge for Windows 10 and Windows 11 will be ...
2 years ago Bleepingcomputer.com
Typosquatting Wave Shows No Signs of Abating - One of the most enduring of these exploits is the practice of typosquatting - i.e., using look-alike websites and domain names to lend legitimacy to social engineering efforts. These look-alikes prey on users' inattention to verifying legitimate ...
1 year ago Darkreading.com
Criminal IP and Quad9 Collaborate to Exchange Domain and IP Threat Intelligence - Criminal IP, a renowned Cyber Threat Intelligence search engine developed by AI SPERA, has recently signed a technology partnership to exchange threat intelligence data based on domains and potentially on the IP address to protect users by blocking ...
11 months ago Hackread.com
49 unique zero-days Uncovered in Pwn2Own Automotive - On the final day of Pwn2Own Automotive 2024 - Day 3, researchers were granted $1,323,750 in rewards for identifying 49 distinct zero-days. Particularly, the infotainment system and modem of Tesla were attacked by the Synacktiv team, and each ...
1 year ago Cybersecuritynews.com
Kimsuky Group Using Weaponized file Deploy AppleSeed Malware - Hackers use weaponized LNK files to exploit vulnerabilities in Windows operating systems. These files often contain malicious code that can be executed when the user clicks on the shortcut. These weaponized files allow threat actors to perform ...
1 year ago Cybersecuritynews.com Kimsuky
Over 800 Phony "Temu" Domains Lure Shoppers into Credential Theft - Stay alert against Temu phishing scams: Cybersecurity experts warn of scammers using fake giveaways to steal credentials. Over 800 new 'Temu' domains registered in the past 3 months. Temu is the latest brand chosen by scammers for their phishing ...
1 year ago Hackread.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)