CTM360: Lumma Stealer and Ninja Browser malware campaign abusing Google Groups

• CTM360: Lumma Stealer and Ninja Browser malware campaign abusing Google Groups February 15, 2026 11:30 AM 0 CTM360 reports that more than 4,000 malicious Google Groups and 3,500 Google-hosted URLs are being used in an active malware campaign targeting global organizations. • The attackers abuse Google’s trusted ecosystem to distribute credential-stealing malware and establish persistent access on compromised devices. • The activity is global, with attackers embedding organization names and industry-relevant keywords into posts to increase credibility and drive downloads. • Read the full report here:https://www.ctm360.com/reports/ninja-browser-lumma-infostealer How the campaign works The attack chain begins with social engineering inside Google Groups. • Threat actors infiltrate industry-related forums and post technical discussions that appear legitimate, covering topics such as network issues, authentication errors, or software configurations Within these threads, attackers embed download links disguised as: “Download {Organization_Name} for Windows 10” To evade detection, they use URL shorteners or Google-hosted redirectors via Docs and Drive. • The redirector is designed to detect the victim’s operating system and deliver different payloads depending on whether the target is using Windows or Linux Windows Infection Flow: Lumma Info-Stealer For Windows users, the campaign delivers a password-protected compressed archive hosted on a malicious file-sharing infrastructure Oversized archive to evade detection The decompressed archive size is approximately 950MB, though the actual malicious payload is only around 33MB.

Article Summaries:

• CTM360 reports that more than 4,000 malicious Google Groups and 3,500 Google-hosted URLs are being used in an active malware campaign targeting global organizations. The attackers abuse Google’s trusted ecosystem to distribute credential-stealing malware and establish persistent access on compromised devices. The activity is global, with attackers embedding organization names and industry-relevant keywords into posts to increase credibility and drive downloads. Read the full report here: https://www.ctm360.com/reports/ninja-browser-lumma-infostealer How the campaign works The attack chain begi

Sources:

• https://www.bleepingcomputer.com/news/security/ctm360-lumma-stealer-and-ninja-browser-malware-campaign-abusing-google-groups/