Lumma Stealer and Ninja Browser malware marketing campaign abusing Google Teams

CTM360 studies that greater than 4,000 malicious Google Teams and three,500 Google-hosted URLs are being utilized in an lively malware marketing campaign focusing on world organizations.

The attackers abuse Google’s trusted ecosystem to distribute credential-stealing malware and set up persistent entry on compromised gadgets.

The exercise is world, with attackers embedding group names and industry-relevant key phrases into posts to extend credibility and drive downloads.

Learn the total report right here: https://www.ctm360.com/studies/ninja-browser-lumma-infostealer

How the marketing campaign works

The assault chain begins with social engineering inside Google Teams. Menace actors infiltrate industry-related boards and put up technical discussions that seem official, protecting matters resembling community points, authentication errors, or software program configurations

Inside these threads, attackers embed obtain hyperlinks disguised as: “Obtain {Organization_Name} for Home windows 10”

To evade detection, they use URL shorteners or Google-hosted redirectors through Docs and Drive. The redirector is designed to detect the sufferer’s working system and ship completely different payloads relying on whether or not the goal is utilizing Home windows or Linux
 

Home windows An infection Move: Lumma Information-Stealer

For Home windows customers, the marketing campaign delivers a password-protected compressed archive hosted on a malicious file-sharing infrastructure

Outsized archive to evade detection

The decompressed archive dimension is roughly 950MB, although the precise malicious payload is simply round 33MB. CTM360 researchers discovered that the executable was padded with null bytes — a method designed to exceed antivirus file-size scanning thresholds and disrupt static evaluation engines.

AutoIt-based reconstruction

As soon as executed, the malware:

• Reassembles segmented binary information.

• Launches an AutoIt-compiled executable.

• Decrypts and executes a memory-resident payload.

The conduct matches Lumma Stealer, a commercially bought infostealer steadily utilized in credential-harvesting campaigns

Noticed conduct consists of:

• Browser credential exfiltration.

• Session cookie harvesting.

• Shell-based command execution.

• HTTP POST requests to C2 infrastructure (e.g., healgeni[.]stay).

• Use of multipart/form-data POST requests to masks exfiltrated content material.

CTM360 recognized a number of related IP addresses and SHA-256 hashes linked to the Lumma-stealer payload.

Linux An infection Move: Trojanized “Ninja Browser”

Linux customers are redirected to obtain a trojanized Chromium-based browser branded as “Ninja Browser.”

The software program presents itself as a privacy-focused browser with built-in anonymity options.

Nevertheless, CTM360’s evaluation reveals that it silently installs malicious extensions with out person consent and implements hidden persistence mechanisms that allow future compromise by the risk actor.

Malicious extension conduct

A built-in extension named “NinjaBrowserMonetisation” was noticed to:

• Observe customers through distinctive identifiers

• Inject scripts into internet periods

• Load distant content material

• Manipulate browser tabs and cookies

• Retailer knowledge externally

The extension incorporates closely obfuscated JavaScript utilizing XOR and Base56-like encoding

Whereas not instantly activating all embedded domains, the infrastructure suggests future payload deployment functionality.

Silent persistence mechanism

CTM360 additionally recognized scheduled duties configured to:

• Ballot attacker-controlled servers each day

• Silently set up updates with out person interplay

• Keep long-term persistence

Moreover, researchers noticed that the browser defaults to a Russian-based search engine named “X-Finder” and redirects to a different suspicious AI-themed search web page

The infrastructure seems tied to domains resembling:

• ninja-browser[.]com

• nb-download[.]com

• nbdownload[.]area

Marketing campaign Infrastructure & Indicators of Compromise

CTM360 linked the exercise to infrastructure, together with:

IPs:

• 152.42.139[.]18

• 89.111.170[.]100

C2 area:

A number of SHA-256 hashes and domains related to credential harvesting and info-stealer distribution have been recognized and can be found within the report.

Dangers to organizations

Lumma Stealer dangers:

Ninja Browser dangers:

• Silent credential harvesting

• Distant command execution

• Backdoor-like persistence

• Computerized malicious updates with out person consent

As a result of the marketing campaign abuses Google-hosted companies, the assault bypasses conventional trust-based filtering mechanisms and will increase person confidence in malicious content material.

Defensive suggestions

CTM360 advises organizations to:

• Examine shortened URLs and Google Docs/Drive redirect chains.

• Block the IoCs at firewall and EDR ranges.

• Educate customers in opposition to downloading software program from public boards/sources with out verification.

• Monitor scheduled process creation on endpoints.

• Audit browser extension installations.

The marketing campaign highlights a broader development: attackers are more and more weaponizing trusted SaaS platforms as supply infrastructure to evade detection.

In regards to the Analysis

The findings have been revealed in CTM360’s February 2026 risk intelligence report, “Ninja Browser & Lumma Infostealer Delivered through Weaponized Google Providers”

CTM360 continues to watch this exercise and monitor associated infrastructure.

Learn the total report right here: https://www.ctm360.com/studies/ninja-browser-lumma-infostealer

Detect Cyber Threats 24/7 with CTM360

Monitor, analyze, and promptly mitigate dangers throughout your exterior digital panorama with the CTM360.

Be a part of our Neighborhood Version

Sponsored and written by CTM360.