A particular breed of cyberattack has emerged that leverages the very tools organisations already trust. Recent research by CTM360 highlights a campaign in which attackers weaponise over 4,000 Google Groups and thousands of Google-hosted URLs to distribute Lumma Stealer malware and the compromised “Ninja Browser”.
This approach is especially concerning for IT professionals, as it targets the platforms deeply embedded in day-to-day workflows. The inherent trust in services like Google’s can create a blind spot, with users and even network administrators less likely to suspect malicious activity occurring within these familiar environments.
CTM360’s findings reveal that cybercriminals are sharing malware-laden files and URLs under the guise of legitimate resources through Google Groups. They also host dangerous downloads—such as browser installers and data stealers—on trusted domains, undermining traditional security measures and making detection more difficult.
Unlike earlier threats that tended to single out specific operating systems, this campaign casts a wider net, with payloads crafted for both Windows and Linux. The increasing reliance on cloud platforms compounds the risk, as threat actors exploit the global reach and credibility of leading SaaS providers for greater impact.
Given these developments, it is clear that relying solely on brand recognition or domain whitelisting is inadequate. Protecting endpoints demands inspection of traffic within SaaS platforms, not just external content. Security education should be updated to reflect the reality that attackers will target and exploit trusted sources; user guidance and operational runbooks must emphasise scrutiny, even when dealing with resources appearing to come from safe domains.
Vigilance remains crucial: trust familiar platforms, but verify them thoroughly.
_Original story: https://www.bleepingcomputer.com/news/security/ctm360-lumma-stealer-and-ninja-browser-malware-campaign-abusing-google-groups/_
