Lumma Stealer and Ninja Browser malware campaign abusing Google Groups
Essential information
- Published
- 16/02/2026 10:44
- Modified
- 16/02/2026 11:05
- Tags
- 2026-02-16 credential-theft google groups lumma lumma stealer ninja browser social engineering trojanized browser
- Related entities
- 19 observables, 10 techniques (mitre), 2 malware, 23 others
Description
A malicious campaign exploiting Google Groups to distribute Lumma Stealer and Ninja Browser malware has been uncovered. The attackers infiltrate industry-related forums, posting seemingly legitimate technical discussions with embedded malicious download links. For Windows users, the payload is Lumma Stealer, a credential-harvesting malware. Linux users are directed to download a trojanized Chromium-based browser called Ninja Browser, which installs malicious extensions and persistence mechanisms. The campaign utilizes Google's trusted ecosystem to bypass security measures and increase user confidence. Over 4,000 malicious Google Groups and 3,500 Google-hosted URLs have been identified in this global operation, posing significant risks to organizations including credential theft, account takeover, and remote command execution.