By @BleepinComputer
Publication Date: 2026-02-15 11:30:00
CTM360 reports that more than 4,000 malicious Google Groups and 3,500 Google-hosted URLs are being used in an active malware campaign targeting global organizations.
The attackers abuse Google’s trusted ecosystem to distribute credential-stealing malware and establish persistent access on compromised devices.
The activity is global, with attackers embedding organization names and industry-relevant keywords into posts to increase credibility and drive downloads.
Read the full report here: https://www.ctm360.com/reports/ninja-browser-lumma-infostealer
How the campaign works
The attack chain begins with social engineering inside Google Groups. Threat actors infiltrate industry-related forums and post technical discussions that appear legitimate, covering topics such as network issues, authentication errors, or software configurations
Within these threads, attackers embed download links disguised as: “Download {Organization_Name} for Windows 10”
To evade detection,…
