Lumma Stealer and Ninja Browser Malware Campaign Abuses Google Groups for Malicious Activities

A Large-Scale Malware Campaign Exploits Google Groups and Services to Target Global Organizations

A recent investigation has uncovered a widespread malware campaign that leverages Google Groups and other Google services to distribute credential-stealing malware and establish persistent access on compromised devices. The campaign, which has been active for some time, has already affected over 4,000 Google Groups and 3,500 Google-hosted URLs, targeting organizations worldwide.

The Attackers’ Strategy

The attackers’ strategy involves infiltrating industry-related forums on Google Groups and posting seemingly legitimate discussions on technical topics, such as network issues, authentication errors, or software configurations. These posts contain embedded links that, when clicked, redirect victims to malicious websites or download malware onto their devices.

To evade detection, the attackers use URL shorteners or Google-hosted redirectors via Google Docs and Drive. The redirector is designed to detect the victim’s operating system and deliver different payloads depending on whether the target is using Windows or Linux.

Windows Users

Windows users are targeted with a password-protected compressed archive hosted on a malicious file-sharing infrastructure. The archive is oversized, with a decompressed size of approximately 950MB, although the actual malicious payload is only around 33MB. This technique is intended to exceed antivirus file-size scanning thresholds and disrupt static analysis engines.

Once executed, the malware reassembles segmented binary files, launches an AutoIt-compiled executable, and decrypts and executes a memory-resident payload. The behavior matches that of Lumma Stealer, a commercially sold infostealer frequently used in credential-harvesting campaigns. Observed behavior includes browser credential exfiltration, session cookie harvesting, shell-based command execution, and HTTP POST requests to command and control (C2) infrastructure.

Linux Users

Linux users, on the other hand, are redirected to a website that offers a trojanized version of the Ninja Browser. The browser presents itself as a privacy-focused browser with built-in anonymity features but silently installs malicious extensions without user consent. These extensions track users via unique identifiers, inject scripts into web sessions, load remote content, manipulate browser tabs and cookies, and store data externally.

The installed extensions contain heavily obfuscated JavaScript using XOR and Base56-like encoding, suggesting future payload deployment capability. The browser also defaults to a Russian-based search engine and redirects to another suspicious AI-themed search page.

Risks and Recommendations

The campaign’s infrastructure is linked to several IP addresses, domains, and SHA-256 hashes associated with credential harvesting and info-stealer distribution. The risks to organizations include credential and session token theft, account takeover, financial fraud, lateral movement in enterprise environments, silent credential harvesting, remote command execution, and backdoor-like persistence.

To defend against this campaign, organizations are advised to inspect shortened URLs and Google Docs/Drive redirect chains, block the indicators of compromise (IoCs) at firewall and endpoint detection and response (EDR) levels, educate users against suspicious emails and links, monitor scheduled task creation on endpoints, and audit browser extension installations.

Let me know if you need any further assistance!

About Author

Vaibhav

See author's posts