Lumma Stealer and Ninja Browser Malware Campaign Abuses Google Groups to Target Organizations

What happened

Security researchers at CTM360 have identified a global malware campaign abusing Google Groups and other Google-hosted services to distribute credential-stealing malware and maintain persistent access on compromised systems. Attackers infiltrate legitimate industry discussion forums and post seemingly authentic technical conversations containing malicious download links disguised as organization-specific software.  These links redirect victims through Google-hosted infrastructure and URL shorteners before delivering malware payloads tailored to the victim’s operating system. For Windows users, attackers deploy Lumma Stealer, which harvests browser credentials, session cookies, and executes commands while exfiltrating data to attacker-controlled infrastructure.  Linux users receive a trojanized Chromium-based browser called Ninja Browser, which installs malicious extensions, tracks users, manipulates browser sessions, and establishes persistent access through scheduled tasks and remote update mechanisms.  The campaign leveraged more than 4,000 malicious Google Groups and over 3,500 Google-hosted URLs to distribute malware globally. 

Who is affected

Organizations and users interacting with malicious Google Groups posts or downloading software through embedded links are affected, as the campaign enables credential theft, session hijacking, and persistent compromise across Windows and Linux systems. 

Why CISOs should care

The abuse of trusted SaaS platforms like Google Groups, Google Docs, and Google Drive demonstrates how attackers can leverage legitimate cloud services to evade traditional security controls and distribute malware at scale. 

3 practical actions

• Block known indicators of compromise. Prevent access to malicious domains, IP addresses, and file hashes identified in the campaign. 
• Audit browser extensions and scheduled tasks. Identify unauthorized installations and persistence mechanisms deployed by malware. 
• Educate users on forum-based threats. Warn employees against downloading software shared through public forums or unsolicited technical discussions.