Google Groups and Google-hosted URL malware campaign targeting global organizations
Campaign
Summary
Hide ▲
Show ▼
An active Google Groups malware campaign is abusing Google-hosted URLs to target global organizations and increase trust-based delivery success. Attackers seed legitimate-looking technical posts, hide download links inside discussion threads, and use redirect chains to steer victims toward malicious payloads. The operation is delivering Lumma Info-Stealer on Windows and a trojanized Ninja Browser on Linux, creating risk of credential theft and persistent compromise.
Related Happenings
Chrome Web Store malicious extensions coordinated campaign using shared C2
Campaign
First: 14.04.2026 23:33
Last: 14.04.2026 23:33
Sources 1
About this happening:
A coordinated **Chrome Web Store** extension operation is stealing **Google OAuth2 Bearer tokens**, deploying **backdoors**, and running **ad fraud** across more than **100 malici...
Chrome Web Store malicious extensions coordinated campaign using shared C2
CampaignAbout this happening: A coordinated **Chrome Web Store** extension operation is stealing **Google OAuth2 Bearer tokens**, deploying **backdoors**, and running **ad fraud** across more than **100 malici...
108 Malicious Google Chrome extensions sharing a C2 backend
Malware Activity
First: 14.04.2026 11:35
Last: 14.04.2026 11:35
Sources 1
About this happening:
**108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...
108 Malicious Google Chrome extensions sharing a C2 backend
Malware ActivityAbout this happening: **108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...
GitHub fake VS Code alert spam campaign
Campaign
First: 27.03.2026 18:51
Last: 27.03.2026 18:51
Sources 1
About this happening:
A coordinated **GitHub Discussions** spam campaign is posting fake **Visual Studio Code** security alerts to lure developers into **malware downloads**, reaching **thousands of re...
GitHub fake VS Code alert spam campaign
CampaignAbout this happening: A coordinated **GitHub Discussions** spam campaign is posting fake **Visual Studio Code** security alerts to lure developers into **malware downloads**, reaching **thousands of re...
VoidStealer debugger-based ABE-bypass infostealer
Malware Activity
First: 22.03.2026 16:32
Last: 22.03.2026 16:32
Sources 1
About this happening:
**VoidStealer** now uses a **debugger-based ABE bypass** to steal **Chrome** master keys, increasing the risk of browser credential and sensitive-data theft. The infostealer can e...
VoidStealer debugger-based ABE-bypass infostealer
Malware ActivityAbout this happening: **VoidStealer** now uses a **debugger-based ABE bypass** to steal **Chrome** master keys, increasing the risk of browser credential and sensitive-data theft. The infostealer can e...
ShieldGuard browser-extension data-harvesting malware
Malware Activity
First: 18.03.2026 16:15
Last: 18.03.2026 16:15
Sources 1
About this happening:
A malicious **ShieldGuard** browser extension was dismantled after it was found harvesting sensitive data from **crypto users**, putting wallet and account information at risk. Th...
ShieldGuard browser-extension data-harvesting malware
Malware ActivityAbout this happening: A malicious **ShieldGuard** browser extension was dismantled after it was found harvesting sensitive data from **crypto users**, putting wallet and account information at risk. Th...
Timeline
-
15.02.2026 18:30 2 articles · 3mo ago
Weaponized Google services malware campaign
Initial DisclosureAn active global campaign abuses Google Groups and Google-hosted URLs to deliver Lumma Info-Stealer on Windows and a trojanized Ninja Browser on Linux, using credible-looking technical posts, organization names, industry keywords, URL shorteners, and Google Docs and Drive redirectors to increase trust and drive downloads.
Show sources
- CTM360: Lumma Stealer and Ninja Browser malware campaign abusing Google Groups — www.bleepingcomputer.com — 15.02.2026 18:30
- CTM360: Lumma Stealer and Ninja Browser malware campaign abusing Google Groups — www.bleepingcomputer.com — 15.02.2026 18:30