Threat Alert: Lumma Stealer and Ninja Browser Abuse Google Groups
Cybersecurity firm CTM360 has uncovered a high-velocity malware campaign that weaponizes legitimate Google services to bypass enterprise security perimeters. The operation exploits Google Groups, Google Docs, and Google Drive to distribute a dual-threat payload: the notorious Lumma Stealer (LummaC2) and a trojanized Chromium-based application dubbed “Ninja Browser.”
By hosting malicious links and landing pages on Google’s trusted infrastructure, the threat actors effectively neutralize URL reputation filters and "safe browsing" checks, as traffic to groups.google.com is rarely blocked by corporate firewalls.
Campaign Scale: 4,000+ Malicious Groups
The scale of the infrastructure identified by CTM360 highlights a massive automation effort by the attackers. Key metrics from the report include:
- 4,000+ Malicious Google Groups: Created to host "Discussions" that contain download links for seemingly benign software.
- 3,500+ Google-hosted URLs: Utilizing Google Docs and Drive as secondary redirection points to obfuscate the final malware source.
- Cross-Platform Targeting: The campaign employs dynamic redirection to deliver specialized payloads based on the victim's operating system.
The "Ninja Browser" Trojan
While Lumma Stealer is a known quantity in the threat landscape, the Ninja Browser represents a more targeted approach for non-Windows environments. This trojanized version of a legitimate Chromium project is primarily pushed to Linux users.
Key Features of Ninja Browser Malware:
- Persistence Mechanisms: Once installed, it embeds itself within the system's startup routines, ensuring it remains active after reboots.
- Data Exfiltration: It monitors active browser windows to capture keystrokes, session cookies, and sensitive form data (including passwords and credit card numbers).
- Stealth: The application functions as a real browser, reducing the likelihood that a casual user will notice anything amiss.
The Windows Vector: Lumma Stealer & ClickFix
Windows users targeted in this campaign are often directed to "ClickFix" pages hosted within Google Groups discussions. These pages simulate a technical error (e.g., "The browser cannot display this content") and provide a "Fix" button.
"The brilliance of this campaign lies in its use of human problem-solving. By asking the user to copy and paste a command into the Run dialog, the attacker moves the infection out of the browser’s protected sandbox and into the OS layer."
The copied command typically executes a hidden PowerShell script that downloads an oversized, obfuscated Lumma payload. This "bloated" file size (often over 100MB) is a classic evasion technique to bypass some automated sandbox scanners that limit the size of files they analyze.
Impact on Enterprises
The primary goal of this campaign is credential harvesting. Lumma Stealer is exceptionally efficient at mining:
| Target Data | Exploitation Risk |
|---|---|
| Corporate Credentials | Facilitates initial access for ransomware groups (Initial Access Brokering). |
| Crypto Wallets | Immediate financial theft via browser extensions like MetaMask or Phantom. |
| Browser Session Cookies | Enables MFA Bypass by allowing attackers to hijack active authenticated sessions. |
Recommendations for Security Teams
Because the campaign abuses trusted Google domains, CTM360 recommends a shift toward behavioral monitoring:
- Monitor PowerShell Logs: Specifically look for Event ID 4104 (Script Block Logging) containing
Invoke-ExpressionorBase64strings originating from the Run dialog. - Google Groups Scrutiny: Implement inspection of traffic to
groups.google.comto flag discussions containing suspicious keywords like "Fix," "Download," or "Update." - EDR Alerting: Set alerts for any
chrome.exeormsedge.exeprocess that attempts to write executable files to the\AppData\Local\Temp\directory.
