Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Lumma Stealer and trojanized Ninja Browser malware activity

Malware Activity
First reported
Last updated
Happening score
H score 21
1 unique sources, 1 articles

Summary

Hide ▲

A Lumma Stealer and Ninja Browser malware activity was identified in February 2026, creating a cross-platform risk to Windows and Linux browser sessions. The Windows branch uses a padded archive and an AutoIt execution chain to deliver credential theft and session-cookie harvesting. The Linux branch pushes a trojanized browser that silently installs malicious extensions and persistence mechanisms. The combined operation matters because it enables credential theft, browser-session abuse, and durable access across multiple endpoint environments.

Related Happenings

108 Malicious Google Chrome extensions sharing a C2 backend

Malware Activity
First: 14.04.2026 11:35 Last: 14.04.2026 11:35 Sources 1

About this happening: **108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...

Open Happening

Google Chrome 146 adds Device Bound Session Credentials to block session-cookie theft

Security Tool/Service
First: 09.04.2026 21:33 Last: 09.04.2026 21:33 Sources 1

About this happening: Google has rolled out **Device Bound Session Credentials (DBSC)** in **Chrome 146 for Windows**, binding sessions to device hardware to blunt **infostealer malware** that steals s...

Open Happening

VoidStealer debugger-based ABE-bypass infostealer

Malware Activity
First: 22.03.2026 16:32 Last: 22.03.2026 16:32 Sources 1

About this happening: **VoidStealer** now uses a **debugger-based ABE bypass** to steal **Chrome** master keys, increasing the risk of browser credential and sensitive-data theft. The infostealer can e...

Open Happening

ShieldGuard browser-extension data-harvesting malware

Malware Activity
First: 18.03.2026 16:15 Last: 18.03.2026 16:15 Sources 1

About this happening: A malicious **ShieldGuard** browser extension was dismantled after it was found harvesting sensitive data from **crypto users**, putting wallet and account information at risk. Th...

Open Happening

MacSync macOS infostealer with dynamic AppleScript and in-memory execution

Malware Activity
First: 16.03.2026 13:41 Last: 16.03.2026 13:41 Sources 1

About this happening: The **MacSync** macOS infostealer now uses **dynamic AppleScript payloads** and **in-memory execution** to reduce static detection and complicate response. It is being delivered t...

Latest development: 10.05.2026 20:52

A MacSync macOS infostealer campaign is abusing Google Ads and legitimate Claude.ai shared chats to lure users searching for "Claude mac download" into following Terminal instructions that download and run malware on their Mac. One observed variant uses polymorphic delivery, checks for Russian or CIS-region keyboard input sources and sends a cis_blocked ping before exiting, then profiles the victim with external IP address, hostname, OS version, and keyboard locale before using osascript to run a second-stage payload; another variant skips profiling and exfiltrates browser credentials, cookies, and macOS Keychain contents.

Open Happening

Timeline

  1. 15.02.2026 18:30 2 articles · 3mo ago

    Active Google Groups malware campaign against global organizations

    Initial Disclosure

    An active global malware campaign abused Google Groups and Google-hosted URLs to distribute Lumma Info-Stealer on Windows and a trojanized Ninja Browser on Linux. Attackers seeded technical discussion posts with organization names and industry keywords, used URL shorteners and Google Docs/Drive redirectors, and tied the activity to more than 4,000 malicious Google Groups and 3,500 Google-hosted URLs.

    Show sources
    Open in new tab