Lumma Stealer and Ninja Browser malware marketing campaign abusing Google Teams

CTM360 studies that greater than 4,000 malicious Google Teams and three,500 Google-hosted URLs are being utilized in an energetic malware marketing campaign concentrating on international organizations.

The attackers abuse Google’s trusted ecosystem to distribute credential-stealing malware and set up persistent entry on compromised gadgets.

The exercise is international, with attackers embedding group names and industry-relevant key phrases into posts to extend credibility and drive downloads.

Learn the complete report right here:

How the marketing campaign works

The assault chain begins with social engineering inside Google Teams. Risk actors infiltrate industry-related boards and publish technical discussions that seem professional, overlaying subjects resembling community points, authentication errors, or software program configurations

Inside these threads, attackers embed obtain hyperlinks disguised as: “Download {Organization_Name} for Windows 10”

To evade detection, they use URL shorteners or Google-hosted redirectors by way of Docs and Drive. The redirector is designed to detect the sufferer’s working system and ship totally different payloads relying on whether or not the goal is utilizing Home windows or Linux

 

Home windows An infection Circulation: Lumma Information-Stealer

For Home windows customers, the marketing campaign delivers a password-protected compressed archive hosted on a malicious file-sharing infrastructure

Outsized archive to evade detection

The decompressed archive measurement is roughly 950MB, although the precise malicious payload is just round 33MB. CTM360 researchers discovered that the executable was padded with null bytes — a way designed to exceed antivirus file-size scanning thresholds and disrupt static evaluation engines.

AutoIt-based reconstruction

As soon as executed, the malware:

• Reassembles segmented binary recordsdata.

• Launches an AutoIt-compiled executable.

• Decrypts and executes a memory-resident payload.

The conduct matches Lumma Stealer, a commercially bought infostealer regularly utilized in credential-harvesting campaigns

Noticed conduct contains:

• Browser credential exfiltration.

• Session cookie harvesting.

• Shell-based command execution.

• HTTP POST requests to C2 infrastructure (e.g., healgeni[.]dwell).

• Use of multipart/form-data POST requests to masks exfiltrated content material.

CTM360 recognized a number of related IP addresses and SHA-256 hashes linked to the Lumma-stealer payload.

Linux An infection Circulation: Trojanized “Ninja Browser”

Linux customers are redirected to obtain a trojanized Chromium-based browser branded as “Ninja Browser.”

The software program presents itself as a privacy-focused browser with built-in anonymity options.

Nevertheless, CTM360’s evaluation reveals that it silently installs malicious extensions with out consumer consent and implements hidden persistence mechanisms that allow future compromise by the menace actor.

Malicious extension conduct

A built-in extension named “NinjaBrowserMonetisation” was noticed to:

• Observe customers by way of distinctive identifiers

• Inject scripts into net classes

• Load distant content material

• Manipulate browser tabs and cookies

• Retailer knowledge externally

The extension incorporates closely obfuscated JavaScript utilizing XOR and Base56-like encoding

Whereas not instantly activating all embedded domains, the infrastructure suggests future payload deployment functionality.

Silent persistence mechanism

CTM360 additionally recognized scheduled duties configured to:

• Ballot attacker-controlled servers every day

• Silently set up updates with out consumer interplay

• Preserve long-term persistence

Moreover, researchers noticed that the browser defaults to a Russian-based search engine named “X-Finder” and redirects to a different suspicious AI-themed search web page

The infrastructure seems tied to domains resembling:

• ninja-browser[.]com

• nb-download[.]com

• nbdownload[.]area

Marketing campaign Infrastructure & Indicators of Compromise

CTM360 linked the exercise to infrastructure, together with:

IPs:

• 152.42.139[.]18

• 89.111.170[.]100

C2 area:

A number of SHA-256 hashes and domains related to credential harvesting and info-stealer distribution have been recognized and can be found within the report.

Dangers to organizations

Lumma Stealer dangers:

Ninja Browser dangers:

• Silent credential harvesting

• Distant command execution

• Backdoor-like persistence

• Computerized malicious updates with out consumer consent

As a result of the marketing campaign abuses Google-hosted providers, the assault bypasses conventional trust-based filtering mechanisms and will increase consumer confidence in malicious content material.

Defensive suggestions

CTM360 advises organizations to:

• Examine shortened URLs and Google Docs/Drive redirect chains.

• Block the IoCs at firewall and EDR ranges.

• Educate customers towards downloading software program from public boards/sources with out verification.

• Monitor scheduled process creation on endpoints.

• Audit browser extension installations.

The marketing campaign highlights a broader development: attackers are more and more weaponizing trusted SaaS platforms as supply infrastructure to evade detection.

Concerning the Analysis

The findings have been printed in CTM360’s February 2026 menace intelligence report, “Ninja Browser & Lumma Infostealer Delivered via Weaponized Google Services”

CTM360 continues to observe this exercise and monitor associated infrastructure.

Learn the complete report right here:

Detect Cyber Threats 24/7 with CTM360

Monitor, analyze, and promptly mitigate dangers throughout your exterior digital panorama with the CTM360.

Be part of our Group Version

Sponsored and written by CTM360.