Risk: High
UgCERT issues this high‑severity advisory to alert stakeholders to a global malware campaign abusing Google services to deliver Lumma Stealer and a trojanized Ninja Browser, with threat activity possibly affecting systems in Uganda.
Platforms Affected:
Microsoft Windows (Lumma Stealer malware)
Linux (Trojanized “Ninja Browser”)
Summary
There is a global malware campaign abusing Google Groups, Google Docs, and Google Drive to distribute two major threats:
- Lumma Stealer (Windows) – a credential‑harvesting malware delivered through oversized, obfuscated archives.
- Trojanized “Ninja Browser” (Linux) – a malicious Chromium-based browser with stealthy persistence mechanisms and data‑harvesting extensions.
Attackers infiltrate Google Groups, posting technical discussions that appear legitimate, then embed deceptive links leading to OS‑specific payloads. Over 4,000 malicious Google Groups and 3,500+ Google‑hosted URLs have been weaponized for this purpose.
Description & Consequences:
Threat actors embed malicious links within seemingly legitimate Google Groups threads discussing network or authentication problems. These links use Google Docs/Drive redirectors and URL shorteners to evade detection and deliver different payloads depending on the victim’s operating system.
Windows Infection Flow – Lumma Stealer: Windows users receive a password‑protected archive hosted on attacker‑controlled services. The archive: Expands to ≈950 MB, masking a 33 MB malicious executable padded with null bytes to bypass antivirus size thresholds. It uses an AutoIt-based loader to reconstruct binaries and execute a memory‑resident payload consistent with Lumma Stealer.
This exposed victims to:
- Credential theft (browser logins, session cookies)
- Shell-based remote command execution
- Exfiltration via HTTP POST to C2 infrastructure, including the use multipart/form-data to hide stolen data
Linux Infection Flow – Trojanized Ninja Browser Linux users are redirected to download a malicious browser branded as a privacy tool.
The software:
- Silently installs malicious extensions
- Maintains persistence via scheduled tasks contacting attacker servers
- Manipulates browser tabs, cookies, and sessions
- Tracks users via unique identifiers and stores data externally
- Uses heavily obfuscated JavaScript (XOR, Base56-like encoding) in a component named “NinjaBrowserMonetisation”
Consequences:
- Long‑term compromise of Linux systems
- Persistent credential and session theft
- Ongoing exfiltration to malicious domains such as ninja-browser.
Solutions:
Preventive Actions
- Block all identified IoCs across firewalls, proxies, endpoint protection, and DNS filtering systems.
- Restrict or monitor access to Google Groups and enforce scrutiny of Google Docs/Drive URLs.
- Detect and block large, suspicious archives and AutoIt execution behaviors.
- Deploy EDR capable of identifying unauthorized browser extensions, OS-based redirectors, and memory‑resident payloads.
- Enforce MFA and tighten credential lifecycle management.
- Strengthen phishing/social‑engineering awareness, particularly around “download tool” messages in discussion forums.
Containment & Recovery
- Immediately isolate affected endpoints.
- Remove persistence mechanisms (scheduled tasks, malicious extensions).
- Reset credentials for all accounts accessed on compromised systems.
- Review browser profiles for unauthorized extensions or modified settings.
- Monitor DNS/Proxy/EDR telemetry for reinfection patterns related to known C2 infrastructure.
References