CTM360: Lumma Stealer and Ninja Browser malware campaign abusing Google Groups
1. INTELLIGENCE SNAPSHOT
ACTOR ID: UNC-CDB-99
CONFIDENCE: Low
RISK SCORE: 7.8/10
v8.3 STEALTH AUTHORITY NODE
2. Advanced Campaign Analysis
CDB sensors have identified tactical shifts within this cluster. CTM360 reports 4,000+ malicious Google Groups and 3,500+ Google-hosted URLs used to spread the Lumma Stealer infostealing malware and a trojanized "Ninja Browser." The report details how attackers abuse trusted Google services to steal credentials and maintain persistence across Windows and Linux systems. [...]
CDB sensors have identified tactical shifts within this cluster. Threat actors are abusing Pastebin comments to distribute a new ClickFix-style attack that tricks cryptocurrency users into executing malicious JavaScript in their browser, allowing attackers to hijack Bitcoin swap transactions and redirect funds to attacker-controlled wallets. [...]
CDB sensors have identified tactical shifts within this cluster. Threat intelligence observations show that a single threat actor is responsible for most of the active exploitation of two critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), tracked as CVE-2026-21962 and CVE-2026-24061. [...]
3. Detection Engineering Center
logsource: {category: dns}
detection: {selection: {query: []}, condition: selection}
KQL (AZURE SENTINEL)
DeviceNetworkEvents | where RemoteUrl has_any ("")