Google Groups abused: Lumma Stealer/Ninja Browser campaign

Google Groups abused: the “Lumma Stealer / Ninja Browser” campaign flagged by CTM360

Since February 2026, a threat actor has been abusing over 4,000 Google Groups and 3,500 Google‑hosted URLs to deliver the Lumma infostealer (Windows) and a “Ninja Browser” packed with malicious extensions (Linux). Here’s how to avoid it with robust email security and NIS 2‑aligned DMARC/SPF/DKIM. BleepingComputer. (bleepingcomputer.com)

The facts

On February 15, 2026, CTM360 documented an active campaign where accounts post fake “patches” and “installers” in technical Google Groups threads, pointing to archives or a “Ninja Browser.” On Windows, a bloated archive (~950 MB) deploys Lumma Stealer to exfiltrate credentials, session cookies, and take control; on Linux, the browser embeds persistent extensions enabling silent updates and script injection. Published indicators of compromise (IOCs) include domains and IPs such as healgeni[.]live, ninja-browser[.]com, nb-download[.]com, nbdownload[.]space, 152.42.139[.]18 and 89.111.170[.]100, plus specific SHA‑256 hashes. BleepingComputer links to CTM360’s report with the full IOC list. (bleepingcomputer.com)

Why this impacts the EU/EEA and Luxembourg: the campaign abuses a trusted SaaS backbone (Google) and bypasses domain‑reputation filters, making it highly effective on business mailboxes that are not hardened (weak domain authentication, limited URL rewriting/inspection and link isolation). Source. (bleepingcomputer.com)

Applicable legal framework

• Directive (EU) 2022/2555 (NIS 2), Article 21: essential/important entities must implement appropriate “cybersecurity risk‑management measures,” including security policies, incident handling, cyber hygiene, access control, and secure communications. This covers email protection, domain authentication (SPF/DKIM/DMARC), and phishing detection/filtering. Official text: EUR‑Lex. (eur-lex.europa.eu)
• Incident notification in Luxembourg (ILR – law of 5 May 2026): early warning within 24 h after detection, formal notification within 72 h, final report within one month. ILR – NIS 2 notification. (ilr.lu)
• ENISA emphasizes email authentication (DMARC, SPF, DKIM) and secure email gateways to counter spear‑phishing. ENISA – Flash Note. (enisa.europa.eu)

Operational translation: under NIS 2 Art. 21, governance must mandate concrete email controls (domain authentication, advanced filtering, attachment/link sandboxing, SIEM supervision) and be able to detect/notify incidents within ILR timelines. For localized guidance, see our page on NIS 2 in Luxembourg and ILR.

The technical solution to deploy

Topic: Email security gateway + DMARC/SPF/DKIM × phishing and NIS 2.

• What it’s for: prevent domain spoofing, block malicious attachments/URLs, isolate links in a secure browser, detect anomalous behaviors (e.g., mass clicks to short‑lived domains), and provide audit logs for investigation and NIS 2 notification.
• How it works in practice:
  • Domain authentication: publish and align SPF, sign DKIM, enforce DMARC with p=quarantine/p=reject per maturity, enable DMARC reports (RUA/RUF) and monitor alignment.
  • Gateway protection: URL inspection (detect Google Docs/Drive redirects, shorteners), attachment sandboxing, URL rewriting and link isolation, deceptive‑language detection, IOC‑based blocking (domains/IPs/hashes).
  • Complementary controls: MTA‑STS/TLS‑RPT for transport security, BIMI for visibility/anti‑spoofing, logs to SIEM for correlation.
• Frameworks:
  • ISO/IEC 27001:2022 Annex A (vulnerability management, content filtering, malware prevention, logging and monitoring).
  • NIST CSF 2.0 (PR.DS, PR.AA, DE.CM) and CIS Controls v8 (Control 9 Email and Web Browser Protections, Control 8 Malware Defenses).

Applied to the CTM360 campaign: the gateway flags emails with abnormal Google redirects, isolates link opening, and DMARC prevents attackers from spoofing your domain. Published IOCs (healgeni[.]live, ninja-browser[.]com, 152.42.139[.]18, 89.111.170[.]100, …) should be blocked and monitored for detection. Source. (bleepingcomputer.com)

How Luxgap delivers this

• Our managed SOC: we ingest your email gateway and SIEM logs, enrich with threat‑intel feeds (including our daily IOC updates), and raise alerts within minutes on signals such as clicks to freshly created domains, suspicious Google/Drive redirect chains, or IOC matches (e.g., healgeni[.]live). Learn more about our managed SOC and incident detection.
• Our ISO 27001 governance: our Lead Implementers/Auditors define domain authentication policy (SPF/DKIM/DMARC), DMARC report review processes, record‑keeping, and precise mapping to NIS 2 Art. 21 (measures) and ILR timelines (24 h/72 h/1 month).
• Our e‑learning platform: short modules on “spotting Google Docs/Drive lures,” “recognizing oversized archives,” and “verifying domain signatures,” with engagement reporting useful during audits. Explore our security awareness and phishing simulations.

Practically, we proceed in three iterations:

1. DNS/MTA technical assessment and DMARC configuration with p=none + monitoring;
2. Gateway deployment/tuning (URL/attachment rules, sandbox, isolation, IOC feeds) + SIEM/SOC integration;
3. Gradual move to p=quarantine/p=reject with false‑positive handling and supplier review.

Real‑world case in Luxembourg/EU

A regulated financial services firm (NIS 2 essential entity) received “Google Groups – VPN patch” emails with Docs/Drive links. In six weeks:

• SPF/DKIM fixed, DMARC p=none → p=quarantine (W4), then p=reject (W6).
• Hardened email gateway: URL rewriting/inspection, attachment sandboxing, CTM360 IOC domain blocks, logs→SIEM integration.
• Targeted 20‑minute training for at‑risk teams.

Outcome: 94% of attempts stopped at the gateway, 0 local payload execution, SOC visibility on residual clicks, ready to notify ILR within 24 h if thresholds met (no notification required in the end).

Immediate next steps

1. Block the campaign’s public IOCs now: healgeni[.]live, ninja-browser[.]com, nb-download[.]com, nbdownload[.]space, 152.42.139[.]18, 89.111.170[.]100, and import CTM360 hashes into your tools (EDR/IDS/firewall). Source. (bleepingcomputer.com)
2. Verify DNS records: SPF (include legitimate senders), DKIM active for all sending domains, DMARC set to p=none + RUA/RUF, then a plan to move to p=quarantine/p=reject.
3. Enable on your gateway: URL rewriting/inspection, link isolation, attachment sandboxing, blocking oversized archives, and detecting Google Docs/Drive redirect chains.
4. Stream email logs → SIEM and define detections (new low‑reputation domains, click spikes, AutoIt or LNK attachments).
5. Prepare notification: internal procedure aligned to ILR (24 h early warning, 72 h, 1 month), report templates, and up‑to‑date CSIRT/ILR contacts. ILR. (ilr.lu)

Official sources

• News and IOCs: BleepingComputer – Lumma Stealer / Ninja Browser campaign (Feb 15, 2026). (bleepingcomputer.com)
• NIS 2 – security measures (Art. 21): EUR‑Lex – Directive (EU) 2022/2555. (eur-lex.europa.eu)
• Luxembourg – notification timelines: ILR – NIS 2 incident notification. (ilr.lu)
• Anti‑phishing best practice: ENISA – Flash Note (DMARC/SPF/DKIM, email gateways). (enisa.europa.eu)

Luxgap can immediately assist with DMARC/SPF/DKIM audits, hardening your email gateway, SIEM/SOC integration, and ILR notification readiness. Contact us for a 30‑minute briefing via our contact page.