Recent CTM360 research has uncovered a major cyberattack campaign exploiting Google Groups and other Google-hosted URLs to distribute the Lumma Stealer malware and the compromised “Ninja Browser”. Over 4,000 groups and thousands of trusted cloud domains have been weaponised, making these threats difficult to detect due to inherent trust in widely used SaaS platforms.
Malware payloads, targeting both Windows and Linux, are disguised as legitimate resources. This shift highlights the inadequacy of relying solely on brand recognition or domain whitelisting for security. IT professionals must update operational guidance, encourage user vigilance, and inspect internal SaaS platform traffic; attackers now routinely exploit trusted environments, so scrutiny even of familiar domains is essential to endpoint protection.
Weaponising Trust: Google Groups Abused to Spread Lumma Stealer and Ninja Browser Malware
