Threat Actor Profile
High APT
Description

LAPSUS$ is cyber criminal threat group that has been active since at least mid-2021. LAPSUS$ specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.(Citation: BBC LAPSUS Apr 2022)(Citation: MSTIC DEV-0537 Mar 2022)(Citation: UNIT 42 LAPSUS Mar 2022)

Confidence Score
100%
Known Aliases
DEV-0537 LAPSUS$ Strawberry Tempest
Tags
intrusion-set mitre-attack ransomware ransomware.live stix-2.1
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (43)
T1005 - Data from Local System
Collection
T1114.003 - Email Forwarding Rule
Collection
T1213.001 - Confluence
Collection
T1213.002 - Sharepoint
Collection
T1213.003 - Code Repositories
Collection
T1213.005 - Messaging Applications
Collection
T1090 - Proxy
Command and Control
T1003.003 - NTDS
Credential Access
T1003.006 - DCSync
Credential Access
T1111 - Multi-Factor Authentication Interception
Credential Access
T1552.008 - Chat Messages
Credential Access
T1555.003 - Credentials from Web Browsers
Credential Access
T1555.005 - Password Managers
Credential Access
T1621 - Multi-Factor Authentication Request Gen…
Credential Access
T1078 - Valid Accounts
Defense Evasion
T1078.004 - Cloud Accounts
Defense Evasion
T1578.002 - Create Cloud Instance
Defense Evasion
T1578.003 - Delete Cloud Instance
Defense Evasion
T1656 - Impersonation
Defense Evasion
T1069.002 - Domain Groups
Discovery
T1087.002 - Domain Account
Discovery
T1204 - User Execution
Execution
T1485 - Data Destruction
Impact
T1489 - Service Stop
Impact
T1531 - Account Access Removal
Impact
T1199 - Trusted Relationship
Initial Access
T1098.003 - Additional Cloud Roles
Persistence
T1133 - External Remote Services
Persistence
T1136.003 - Cloud Account
Persistence
T1068 - Exploitation for Privilege Escalation
Privilege Escalation
T1589 - Gather Victim Identity Information
Reconnaissance
T1589.001 - Credentials
Reconnaissance
T1589.002 - Email Addresses
Reconnaissance
T1591.002 - Business Relationships
Reconnaissance
T1591.004 - Identify Roles
Reconnaissance
T1593.003 - Code Repositories
Reconnaissance
T1597.002 - Purchase Technical Data
Reconnaissance
T1598.004 - Spearphishing Voice
Reconnaissance
T1583.003 - Virtual Private Server
Resource Development
T1584.002 - DNS Server
Resource Development
T1586.002 - Email Accounts
Resource Development
T1588.001 - Malware
Resource Development
T1588.002 - Tool
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
[{'aliases': ['LAPSUS$', 'DEV-0537', 'Strawberry Tempest'],
  'created': '2022-06-09T19:14:31.327Z',
  'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
  'description': '[LAPSUS$](https://attack.mitre.org/groups/G1004) is cyber '
                 'criminal threat group that has been active since at least '
                 'mid-2021. [LAPSUS$](https://attack.mitre.org/groups/G1004) '
                 'specializes in large-scale social engineering and extortion '
                 'operations, including destructive attacks without the use of '
                 'ransomware. The group has targeted organizations globally, '
                 'including in the government, manufacturing, higher '
                 'education, energy, healthcare, technology, '
                 'telecommunications, and media sectors.(Citation: BBC LAPSUS '
                 'Apr 2022)(Citation: MSTIC DEV-0537 Mar 2022)(Citation: UNIT '
                 '42 LAPSUS Mar 2022)',
  'external_references': [{'external_id': 'G1004',
                           'source_name': 'mitre-attack',
                           'url': 'https://attack.mitre.org/groups/G1004'},
                          {'description': '(Citation: Microsoft Threat Actor '
                                          'Naming July 2023)',
                           'source_name': 'Strawberry Tempest'},
                          {'description': '(Citation: MSTIC DEV-0537 Mar 2022)',
                           'source_name': 'DEV-0537'},
                          {'description': 'BBC. (2022, April 1). LAPSUS: Two '
                                          'UK Teenagers Charged with Hacking '
                                          'for Gang. Retrieved June 9, 2022.',
                           'source_name': 'BBC LAPSUS Apr 2022',
                           'url': 'https://www.bbc.com/news/technology-60953527'},
                          {'description': 'Microsoft . (2023, July 12). How '
                                          'Microsoft names threat actors. '
                                          'Retrieved November 17, 2023.',
                           'source_name': 'Microsoft Threat Actor Naming July '
                                          '2023',
                           'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'},
                          {'description': 'MSTIC, DART, M365 Defender. (2022, '
                                          'March 24). DEV-0537 Criminal Actor '
                                          'Targeting Organizations for Data '
                                          'Exfiltration and Destruction. '
                                          'Retrieved May 17, 2022.',
                           'source_name': 'MSTIC DEV-0537 Mar 2022',
                           'url': 'https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/'},
                          {'description': 'UNIT 42. (2022, March 24). Threat '
                                          'Brief: Lapsus$ Group. Retrieved May '
                                          '17, 2022.',
                           'source_name': 'UNIT 42 LAPSUS Mar 2022',
                           'url': 'https://unit42.paloaltonetworks.com/lapsus-group/'}],
  'id': 'intrusion-set--d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7',
  'modified': '2025-04-21T19:40:47.538Z',
  'name': 'LAPSUS$',
  'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
  'revoked': False,
  'spec_version': '2.1',
  'type': 'intrusion-set',
  'x_mitre_attack_spec_version': '3.2.0',
  'x_mitre_contributors': ['David Hughes, BT Security',
                           'Matt Brenton, Zurich Insurance Group',
                           'Flávio Costa, @Segurança Descomplicada',
                           'Caio Silva'],
  'x_mitre_deprecated': False,
  'x_mitre_domains': ['enterprise-attack', 'mobile-attack'],
  'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
  'x_mitre_version': '2.1'},
 {'added_date': '2026-03-01',
  'client': '2003264@sit.singaporetech.edu.sg',
  'description': None,
  'firstseen': '2021-12-10T00:00:00+00:00',
  'group': 'lapsus$',
  'has_negotiations': False,
  'has_ransomnote': False,
  'lastseen': '2026-04-24T00:00:00+00:00',
  'locations': [{'available': False,
                 'fqdn': 'lapsus.cz',
                 'slug': 'https://lapsus.cz/',
                 'title': 'Origin DNS error | lapsus.cz | Cloudflare',
                 'type': 'DLS'},
                {'available': True,
                 'fqdn': 'lapsus.by',
                 'slug': 'https://lapsus.by',
                 'title': 'LAPSUS$ | DATA REPOSITORY',
                 'type': 'DLS'}],
  'negotiation_count': 0,
  'ransomnotes_count': 0,
  'tiaras_metadata': {'has_negotiations': False,
                      'has_ransomnote': False,
                      'locations': [{'available': False,
                                     'fqdn': 'lapsus.cz',
                                     'slug': 'https://lapsus.cz/',
                                     'title': 'Origin DNS error | lapsus.cz | '
                                              'Cloudflare',
                                     'type': 'DLS'},
                                    {'available': True,
                                     'fqdn': 'lapsus.by',
                                     'slug': 'https://lapsus.by',
                                     'title': 'LAPSUS$ | DATA REPOSITORY',
                                     'type': 'DLS'}],
                      'negotiation_count': 0,
                      'ransomnotes_count': 0,
                      'ransomware_live_group': 'lapsus$',
                      'tools': {'CredentialTheft': ['Mimikatz'],
                                'DefenseEvasion': [],
                                'DiscoveryEnum': ['ADExplorer'],
                                'Exfiltration': [],
                                'LOLBAS': ['NTDS Utility (ntdsutil)'],
                                'Networking': [],
                                'Offsec': [],
                                'RMM-Tools': ['AnyDesk']},
                      'url': 'https://www.ransomware.live/group/lapsus$',
                      'victims': 18,
                      'vulnerabilities': []},
  'tiaras_source': 'ransomware.live',
  'tools': {'CredentialTheft': ['Mimikatz'],
            'DefenseEvasion': [],
            'DiscoveryEnum': ['ADExplorer'],
            'Exfiltration': [],
            'LOLBAS': ['NTDS Utility (ntdsutil)'],
            'Networking': [],
            'Offsec': [],
            'RMM-Tools': ['AnyDesk']},
  'ttps': [],
  'url': 'https://www.ransomware.live/group/lapsus$',
  'victims': 18,
  'vulnerabilities': []}]
Quick Actions
Related TTPs (43)
Data from Local System
Collection
Email Forwarding Rule
Collection
Confluence
Collection
Sharepoint
Collection
Code Repositories
Collection
View All 43 TTPs
Back to Threat Actors
Dashboard Home