This campaign exploits Google Groups, a widely trusted collaboration platform, to distribute two distinct malware payloads targeting Windows and Linux users. The attackers infiltrate industry-specific forums within Google Groups, posting technical discussions that appear legitimate but contain embedded links to malicious downloads hosted on Google infrastructure and attacker-controlled domains. For Windows systems, the payload is Lumma Stealer, a sophisticated credential-stealing malware designed to harvest saved passwords, cookies, and other sensitive authentication data. For Linux systems, the attackers distribute a trojanized Chromium-based browser named Ninja Browser. This malicious browser installs harmful extensions and persistence mechanisms, enabling long-term access and control over the infected system. The campaign uses social engineering to exploit user trust in Google’s ecosystem, effectively bypassing many traditional security controls that rely on domain reputation and URL filtering. The operation is extensive, involving over 4,000 malicious Google Groups and 3,500 Google-hosted URLs, indicating a large-scale, coordinated effort. The malware’s capabilities include credential theft, which can lead to account takeover, and remote command execution, allowing attackers to execute arbitrary commands on compromised hosts. Indicators of compromise include specific IP addresses (152.42.139.18, 89.111.170.100) and domains (healgeni.live, nb-download.com, nbdownload.space, ninja-browser.com) associated with the campaign. The campaign’s tactics align with MITRE ATT&CK techniques such as T1543 (Create or Modify System Process), T1539 (Steal Web Session Cookie), T1547 (Boot or Logon Autostart Execution), T1071 (Application Layer Protocol), T1176 (Browser Extensions), T1555 (Credentials from Password Stores), T1059 (Command and Scripting Interpreter), T1204 (User Execution), T1566 (Phishing), T1027 (Obfuscated Files or Information), T1573 (Encrypted Channel), and T1056 (Input Capture). No known exploits in the wild or specific CVEs are associated with this campaign yet.

European organizations face significant risks from this campaign due to the widespread use of Google Groups for professional collaboration and information sharing. Credential theft can lead to unauthorized access to corporate networks, cloud services, and sensitive data, resulting in data breaches and financial losses. The trojanized Ninja Browser on Linux systems threatens the integrity and availability of critical infrastructure and development environments, especially in sectors relying on Linux-based systems. The use of Google’s trusted platform increases the likelihood of successful social engineering, potentially bypassing perimeter defenses and endpoint protections. Remote command execution capabilities enable attackers to deploy additional malware, move laterally within networks, and exfiltrate data. The campaign’s scale and stealthy distribution method could lead to prolonged undetected compromises, increasing remediation costs and reputational damage. Organizations in sectors such as finance, technology, manufacturing, and government are particularly at risk due to their reliance on Google services and the value of their credentials and intellectual property.

1. Implement strict monitoring and filtering of Google Groups traffic and URLs, including blocking or flagging downloads from suspicious or newly registered domains linked to the campaign. 2. Educate employees and users about the risks of downloading software from unverified sources, emphasizing caution with links in forums and collaboration platforms, even if hosted on trusted domains. 3. Deploy endpoint detection and response (EDR) solutions capable of detecting credential-stealing behaviors and persistence mechanisms typical of Lumma Stealer and trojanized browsers. 4. Enforce multi-factor authentication (MFA) across all critical systems and cloud services to mitigate the impact of credential theft. 5. Regularly audit and restrict browser extensions, especially on Linux systems, to prevent unauthorized installation of malicious add-ons. 6. Use application whitelisting to prevent execution of unauthorized software, including trojanized browsers. 7. Conduct threat hunting exercises focusing on indicators of compromise such as the identified IP addresses and domains. 8. Collaborate with Google to report malicious groups and URLs for takedown and enhanced detection. 9. Maintain up-to-date threat intelligence feeds and integrate them into security information and event management (SIEM) systems for proactive alerting. 10. Harden Linux environments by limiting user privileges and monitoring for unusual process creations or network connections.