CTM360: Lumma Stealer and Ninja Browser malware campaign abusing Google Groups
Advisory ID: CDB-APEX-1771176226 | Risk Score: 9.3/10
Target Industry: Enterprise Cloud / Financial Services
Primary Malware: Lumma Stealer / Ninja Browser
Attribution Confidence: High (Based on infrastructure overlap and TTP similarity)
1. Infection Chain & Persistence Mechanics
1. INITIAL ACCESS: Victim lured to malicious Google Group via Spear-Phishing. 2. REDIRECTION: Traffic routed via compromised URL (Redirector) to payload host. 3. EXECUTION: Ninja Browser (Infostealer) downloaded and executed by user. 4. PERSISTENCE: Registry Run keys (HKCU\Software\Microsoft\Windows\CurrentVersion\Run). 5. EXFILTRATION: Credential/Cookie theft transmitted via encrypted HTTPS C2 nodes.
2. Operational Indicators of Compromise (IOCs)
| Type | Indicator | Source Confidence |
|---|---|---|
| No IP Indicators Extracted | ||
| No Domain Indicators Extracted | ||
3. Advanced Detection Engineering
logsource:
category: dns
detection:
selection:
QuestionName|contains:
- '.googlegroups.com'
- '/g/u/'
- 'malicious-cdn.top'
condition: selection
level: high
KQL QUERY (AZURE SENTINEL)
DeviceNetworkEvents | where RemoteUrl contains "googlegroups.com" or RemoteUrl contains "/g/u/" | where ActionType == "HttpConnection" | summarize count() by DeviceName, RemoteUrl, InitiatingProcessFileName
4. Recommendations & Strategic Conclusion
The observed activity of UNC-CDB-99 represents a persistent threat to enterprise endpoints. Immediate implementation of the provided DNS-based Sigma rules is recommended to disrupt the infection chain at Phase 2. Organizations should pivot from reactive blocklists to proactive hunting within Google Workspace audit logs to identify anomalous group join requests.