Ninja Browser & Lumma Infostealer

CTM360 has identified a large-scale malware campaign exploiting trusted Google services — including Google Groups, Google Docs, and Google Drive — to distribute Lumma Stealer and a trojanized Chromium-based “Ninja Browser.” The operation leverages more than 4,000 malicious Google Groups and 3,500 Google-hosted URLs to embed deceptive download links within legitimate-looking discussions, targeting organizations worldwide.

The campaign dynamically redirects victims based on operating system, delivering an oversized, obfuscated Lumma payload to Windows users and a persistence-enabled malicious browser to Linux systems. By abusing the inherent trust of Google-hosted platforms, attackers bypass conventional filtering mechanisms and increase the likelihood of successful compromise.

This report provides a full technical breakdown of the infection chain, infrastructure, indicators of compromise (IoCs), and risk implications for enterprises.

Read the full report and explore CTM360’s latest insights and threat intelligence