CTM360: Lumma Stealer and Ninja Browser Malware Campaign Abusing Google Groups

The rise of SaaS‑based weaponization is reshaping threat landscapes, and Google’s ubiquitous services are now prime delivery vectors. By infiltrating industry‑focused Google Groups, adversaries exploit the platform’s inherent trust to seed malicious links that appear legitimate to end users. The scale—thousands of compromised groups and URLs—demonstrates a coordinated effort to reach a global audience, leveraging Google’s domain reputation to sidestep email gateways and web proxies that typically block unknown hosts.

On the technical side, the campaign distinguishes itself with dual‑platform payloads. Windows victims receive a 950 MB archive padded with null bytes, a clever tactic that pushes the file size beyond many static analysis thresholds while the actual malicious component remains a modest 33 MB. An AutoIt‑driven loader then reconstructs the binary, decrypts it in memory, and initiates the Lumma Info‑Stealer, which siphons browser credentials, session cookies, and executes remote commands. Linux users are presented with a counterfeit “Ninja Browser” that silently installs a malicious extension, tracks identifiers, injects scripts, and creates scheduled tasks for persistent command‑and‑control polling. Both vectors benefit from Google Docs and Drive redirectors that dynamically serve OS‑specific payloads, further complicating detection.

Enterprises must adapt their defenses to this SaaS‑centric threat model. Beyond traditional URL filtering, security teams should monitor for anomalous Google Group activity, inspect shortened URLs, and enforce strict controls on browser extension installations. Endpoint Detection and Response (EDR) solutions need to flag unusual archive sizes and AutoIt execution patterns, while SIEMs should correlate scheduled‑task creation with known malicious domains such as healgeni.live. By combining user education with proactive IoC blocking, organizations can mitigate the risk of credential harvesting and long‑term persistence introduced by this sophisticated campaign.