Lumma Stealer and Ninja Browser malware campaign abusing Google Groups

Staff Editor 2026-02-15
Lumma Stealer and Ninja Browser malware campaign abusing Google Groups

Lumma Stealer and Ninja Browser malware campaign abusing Google Groups

https://www.bleepingcomputer.com/news/security/ctm360-lumma-stealer-and-ninja-browser-malware-campaign-abusing-google-groups/

Publish Date: 2026-02-15 11:30:00

Source Domain: www.bleepingcomputer.com

CTM360 reports that more than 4,000 malicious Google Groups and 3,500 Google-hosted URLs are being used in an active malware campaign targeting global organizations.

The attackers abuse Google’s trusted ecosystem to distribute credential-stealing malware and establish persistent access on compromised devices.

The activity is global, with attackers embedding organization names and industry-relevant keywords into posts to increase credibility and drive downloads.

Read the full report here: https://www.ctm360.com/reports/ninja-browser-lumma-infostealer

How the campaign works

The attack chain begins with social engineering inside Google Groups. Threat actors infiltrate industry-related forums and post technical discussions that appear legitimate, covering topics such as network issues, authentication errors, or software configurations

Within these threads, attackers embed download links disguised as: “Download {Organization_Name} for Windows 10”

To evade detection, they use URL shorteners or Google-hosted redirectors via Docs and Drive. The redirector is designed to detect the victim’s operating system and deliver different payloads depending on whether the target is using Windows or Linux
 

Malware lifecycle

Windows Infection Flow: Lumma Info-Stealer

For Windows users, the campaign delivers a password-protected compressed archive hosted on a malicious file-sharing infrastructure

Oversized archive to evade detection

The decompressed archive size is approximately 950MB, though the actual malicious payload is only around 33MB. CTM360 researchers found that the executable was padded with null bytes — a technique designed to exceed antivirus file-size scanning thresholds and disrupt static analysis engines.

AutoIt-based reconstruction

Once executed, the malware:

  • Reassembles segmented binary files.

  • Launches an AutoIt-compiled executable.

  • Decrypts and executes a memory-resident payload.

The behavior matches Lumma Stealer, a…

Source

More Stories

China issues new financial data rules in major cybersecurity push

China issues new financial data rules in major cybersecurity push

Staff Editor 2026-06-13
The FCC Wants to Kill Burner Phones

The FCC Wants to Kill Burner Phones

Staff Editor 2026-06-13
Accenture cyber leads: why hiring more people won’t solve the cybersecurity talent gap

Accenture cyber leads: why hiring more people won’t solve the cybersecurity talent gap

Staff Editor 2026-06-13

Terms and Conditions - Privacy Policy