Home/ Threat Actors/ LAPSUS$

🇧🇷LAPSUS$

🇧🇷 LAPSUS$ is a tracked threat actor in the Clankerusecase corpus. BR-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 43 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G1004) ↗

14Use cases

0Articles

43Techniques

0IOCs

About this actor (MITRE)

[LAPSUS$](https://attack.mitre.org/groups/G1004) is cyber criminal threat group that has been active since at least mid-2021. [LAPSUS$](https://attack.mitre.org/groups/G1004) specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.(Citation: BBC LAPSUS Apr 2022)(Citation: MSTIC DEV-0537 Mar 2022)(Citation: UNIT 42 LAPSUS Mar 2022)

Known aliases

LAPSUS$DEV-0537Strawberry Tempest

Top techniques

T1003.003 · NTDS T1003.006 · DCSync T1005 · Data from Local System

All other tracked techniques

T1068 · Exploitation for Privilege Escalation T1069.002 · Domain Groups T1078 · Valid Accounts T1078.004 · Cloud Accounts T1087.002 · Domain Account T1090 · Proxy T1098.003 · Additional Cloud Roles T1111 · Multi-Factor Authentication Interception T1114.003 · Email Forwarding Rule T1133 · External Remote Services T1136.003 · Cloud Account T1199 · Trusted Relationship T1204 · User Execution T1213.001 · Confluence T1213.002 · Sharepoint T1213.003 · Code Repositories T1213.005 · Messaging Applications T1485 · Data Destruction T1489 · Service Stop T1531 · Account Access Removal T1552.008 · Chat Messages T1555.003 · Credentials from Web Browsers T1555.005 · Password Managers T1578.002 · Create Cloud Instance T1578.003 · Delete Cloud Instance T1583.003 · Virtual Private Server T1584.002 · DNS Server T1586.002 · Email Accounts T1588.001 · Malware T1588.002 · Tool T1589 · Gather Victim Identity Information T1589.001 · Credentials T1589.002 · Email Addresses T1591.002 · Business Relationships T1591.004 · Identify Roles T1593.003 · Code Repositories T1597.002 · Purchase Technical Data T1598.004 · Spearphishing Voice T1621 · Multi-Factor Authentication Request Generation T1684.001 · Impersonation

Detection use cases (14)

LAPSUS$/DEV-0537 MFA fatigue ('push bombing') culminating in successful Entra ID sign-in AI · profile S LAPSUS$ post-takeover Global Administrator / privileged role self-elevation AI · profile SΣ 1Password impossible-travel sign-in MITRE match Auth-Bypass on Public-Facing Service → Post-Exploit Action on Same Host (≤10 min) MITRE match Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN MITRE match Edge-service post-exploitation chain: internet-facing daemon → child shell or token redemption within 10 min of external request MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Language-runtime server (node/python/java) spawns OS shell shortly after inbound request — eval / sandbox-escape exploitation chain MITRE match Linux LPE chain — anomalous algif_aead/esp4/esp6/rxrpc kernel-module load followed by same-user root transition MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match npm/yarn/pnpm Install-Hook Spawn → Credential-Store Read or Worm-Payload Drop in node_modules MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Post-Auth Privilege Boundary Crossing on Edge/Management Appliances (low-priv -> admin within 10m) MITRE match Public-Facing App Runtime Spawns Shell, LOLBin, or Container-Control Tool MITRE match