Find notable cyber news and cases, enriched with sources, timelines, and signals.

Google Groups and Google-hosted URL malware campaign targeting global organizations

Campaign
First reported
Last updated
Happening score
H score 66
1 unique sources, 1 articles

Summary

Hide ▲

An active Google Groups malware campaign is abusing Google-hosted URLs to target global organizations and increase trust-based delivery success. Attackers seed legitimate-looking technical posts, hide download links inside discussion threads, and use redirect chains to steer victims toward malicious payloads. The operation is delivering Lumma Info-Stealer on Windows and a trojanized Ninja Browser on Linux, creating risk of credential theft and persistent compromise.

Related Happenings

FROST browser SSD timing side channel via OPFS

Technical Analysis
H score16 First: 09.06.2026 12:50 Last: 09.06.2026 12:50 Sources 1

About this happening: **FROST** turns **browser storage timing** into a **remote SSD side channel** that can identify which **sites** a user visits and which **apps** they open. The technique runs insi...

Openew[.]app cloaked malware download portal

Malware Activity
H score26 First: 29.05.2026 21:21 Last: 29.05.2026 21:21 Sources 1

About this happening: The **openew[.]app** malware-delivery activity now also uses **legitimate ChatGPT shared pages** as the first lure, with **Google ads** and **SEO poisoning** sending victims to a...

LLMShare ChatGPT share-link malware lure campaign

Campaign
H score47 First: 29.05.2026 21:21 Last: 29.05.2026 21:21 Sources 1

About this happening: The **LLMShare** campaign is using **Google ads** and a legitimate **chatgpt.com** shared page to route people searching for **ChatGPT** into a fake **OpenAI outage** lure that pu...

Chrome Web Store malicious extensions coordinated campaign using shared C2

Campaign
H score38 First: 14.04.2026 23:33 Last: 14.04.2026 23:33 Sources 1

About this happening: A coordinated **Chrome Web Store** extension operation is stealing **Google OAuth2 Bearer tokens**, deploying **backdoors**, and running **ad fraud** across more than **100 malici...

108 Malicious Google Chrome extensions sharing a C2 backend

Malware Activity
H score11 First: 14.04.2026 11:35 Last: 14.04.2026 11:35 Sources 1

About this happening: **108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...

Timeline

  1. 15.02.2026 18:30 2 articles · 4mo ago

    Weaponized Google services malware campaign

    Initial Disclosure

    An active global campaign abuses Google Groups and Google-hosted URLs to deliver Lumma Info-Stealer on Windows and a trojanized Ninja Browser on Linux, using credible-looking technical posts, organization names, industry keywords, URL shorteners, and Google Docs and Drive redirectors to increase trust and drive downloads.

    Show sources