CTM360 reports that more than 4,000 malicious Google Groups and 3,500 Google-hosted URLs are being used in an active malware campaign targeting global organizations.The attackers abuse Google’s trusted ecosystem to distribute credential-stealing malware and establish persistent access on compromised devices. The activity is global, with attackers embedding organization names and industry-relevant keywords into posts to increase credibility and drive downloads.
How the campaign works
The attack chain begins with social engineering inside Google Groups. Threat actors infiltrate industry-related forums and post technical discussions that appear legitimate, covering topics such as network issues, authentication errors, or software configurations Within these threads, attackers embed download links disguised as: “Download {Organization_Name} for Windows 10”. To evade detection, they use URL shorteners or Google-hosted redirectors via Docs and Drive. The redirector is designed to detect the victim’s operating system and deliver different payloads depending on whether the target is using Windows or Linux.
Windows Infection Flow: Lumma Info-Stealer
For Windows users, the campaign delivers a password-protected compressed archive hosted on a malicious file-sharing infrastructure. The decompressed archive size is approximately 950MB, though the actual malicious payload is only around 33MB. CTM360 researchers found that the executable was padded with null bytes - a technique designed to exceed antivirus file-size scanning thresholds and disrupt static analysis engines.
Once executed, the malware reassembles segmented binary files, launches an AutoIt-compiled executable, and decrypts and executes a memory-resident payload.
The following behaviors were observed: browser credential exfiltration, session cookie harvesting, shell-based command execution, and HTTP POST communications to C2 infrastructure, with multipart/form-data POST requests used to help mask the exfiltrated content. CTM360 identified multiple associated IP addresses and SHA-256 hashes linked to the Lumma-stealer payload.
Linux Infection Flow: Trojanized “Ninja Browser”
Linux users are redirected to download a trojanized Chromium-based browser branded as “Ninja Browser”. The software presents itself as a privacy-focused browser with built-in anonymity features. However, CTM360’s analysis reveals that it silently installs malicious extensions without user consent and implements hidden persistence mechanisms that enable future compromise by the threat actor.
A built-in extension named “NinjaBrowserMonetisation” was observed to:
The extension contains heavily obfuscated JavaScript using XOR and Base56-like encoding.
Silent persistence mechanism
CTM360 also identified scheduled tasks configured to poll attacker-controlled servers daily, silently install updates without user interaction, and maintain long-term persistence.Additionally, researchers observed that the browser defaults to a Russian-based search engine named “X-Finder” and redirects to another suspicious AI-themed search page.
The infrastructure appears tied to domains such as:
CTM360 advises organizations to:
The campaign highlights a broader trend: attackers are increasingly weaponizing trusted SaaS platforms as delivery infrastructure to evade detection.
References:
04 May 2026
07 April 2026
04 March 2026
12 February 2026
28 December 2020
05 December 2020
05 December 2020
05 December 2020
© 2011-2026 All rights reserved
