CTM360 reports that more than 4,000 malicious Google Groups and 3,500 Google-hosted URLs are being used in an active malware campaign targeting global organizations.
The attackers abuse Google’s trusted ecosystem to distribute credential-stealing malware and establish persistent access on compromised devices.
The activity is global, with attackers embedding organization names and industry-relevant keywords into posts to increase credibility and drive downloads.
Read the full report here: https://www.ctm360.com/reports/ninja-browser-lumma-infostealer
How the campaign works
The attack chain begins with social engineering inside Google Groups. Threat actors infiltrate industry-related forums and post technical discussions that appear legitimate, covering topics such as network issues, authentication errors, or software configurations
Within these threads, attackers embed download links disguised as: “Download {Organization_Name} for Windows 10”
To evade detection, they use URL shorteners or Google-hosted redirectors via Docs and Drive. The redirector is designed to detect the victim’s operating system and deliver different payloads depending on whether the target is using Windows or Linux
Windows Infection Flow: Lumma Info-Stealer
... continue reading