Lumma Stealer and trojanized Ninja Browser malware activity
Malware Activity
Summary
Hide ▲
Show ▼
A Lumma Stealer and Ninja Browser malware activity was identified in February 2026, creating a cross-platform risk to Windows and Linux browser sessions. The Windows branch uses a padded archive and an AutoIt execution chain to deliver credential theft and session-cookie harvesting. The Linux branch pushes a trojanized browser that silently installs malicious extensions and persistence mechanisms. The combined operation matters because it enables credential theft, browser-session abuse, and durable access across multiple endpoint environments.
Related Happenings
Chrome extension PUP distribution network with fake organic traffic
Malware Activity
H score18
First: 15.06.2026 14:07
Last: 15.06.2026 14:07
Sources 1
About this happening:
A network of **152 Google Chrome extensions** is distributing a **potentially unwanted program (PUP) family** through new-tab live-wallpaper add-ons, creating a broad browser-base...
Chrome extension PUP distribution network with fake organic traffic
Malware ActivityAbout this happening: A network of **152 Google Chrome extensions** is distributing a **potentially unwanted program (PUP) family** through new-tab live-wallpaper add-ons, creating a broad browser-base...
FROST browser SSD timing side channel via OPFS
Technical Analysis
H score16
First: 09.06.2026 12:50
Last: 09.06.2026 12:50
Sources 1
About this happening:
**FROST** turns **browser storage timing** into a **remote SSD side channel** that can identify which **sites** a user visits and which **apps** they open. The technique runs insi...
FROST browser SSD timing side channel via OPFS
Technical AnalysisAbout this happening: **FROST** turns **browser storage timing** into a **remote SSD side channel** that can identify which **sites** a user visits and which **apps** they open. The technique runs insi...
Openew[.]app cloaked malware download portal
Malware Activity
H score26
First: 29.05.2026 21:21
Last: 29.05.2026 21:21
Sources 1
About this happening:
The **openew[.]app** malware-delivery activity now also uses **legitimate ChatGPT shared pages** as the first lure, with **Google ads** and **SEO poisoning** sending victims to a...
Openew[.]app cloaked malware download portal
Malware ActivityAbout this happening: The **openew[.]app** malware-delivery activity now also uses **legitimate ChatGPT shared pages** as the first lure, with **Google ads** and **SEO poisoning** sending victims to a...
108 Malicious Google Chrome extensions sharing a C2 backend
Malware Activity
H score11
First: 14.04.2026 11:35
Last: 14.04.2026 11:35
Sources 1
About this happening:
**108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...
108 Malicious Google Chrome extensions sharing a C2 backend
Malware ActivityAbout this happening: **108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...
Google Chrome 146 adds Device Bound Session Credentials to block session-cookie theft
Security Tool/Service
H score11
First: 09.04.2026 21:33
Last: 09.04.2026 21:33
Sources 1
About this happening:
Google has rolled out **Device Bound Session Credentials (DBSC)** in **Chrome 146 for Windows**, binding sessions to device hardware to blunt **infostealer malware** that steals s...
Google Chrome 146 adds Device Bound Session Credentials to block session-cookie theft
Security Tool/ServiceAbout this happening: Google has rolled out **Device Bound Session Credentials (DBSC)** in **Chrome 146 for Windows**, binding sessions to device hardware to blunt **infostealer malware** that steals s...
Timeline
-
15.02.2026 18:30 2 articles · 4mo ago
Active Google Groups malware campaign against global organizations
Initial DisclosureAn active global malware campaign abused Google Groups and Google-hosted URLs to distribute Lumma Info-Stealer on Windows and a trojanized Ninja Browser on Linux. Attackers seeded technical discussion posts with organization names and industry keywords, used URL shorteners and Google Docs/Drive redirectors, and tied the activity to more than 4,000 malicious Google Groups and 3,500 Google-hosted URLs.
Show sources
- CTM360: Lumma Stealer and Ninja Browser malware campaign abusing Google Groups — www.bleepingcomputer.com — 15.02.2026 18:30
- CTM360: Lumma Stealer and Ninja Browser malware campaign abusing Google Groups — www.bleepingcomputer.com — 15.02.2026 18:30