{ "id": "a6c29514-adcd-4ce6-820f-6da531ae3c46", "created_at": "2026-04-06T00:18:02.788259Z", "updated_at": "2026-04-10T03:28:46.921524Z", "deleted_at": null, "sha1_hash": "aeffc0b09ada0828d13998540f4e429f1b311b3f", "title": "Lapsus$ Attacks Localiza, Redirects Users to Porn Site", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 282012, "plain_text": "Lapsus$ Attacks Localiza, Redirects Users to Porn Site\r\nBy Soumik Ghosh\r\nArchived: 2026-04-05 15:51:35 UTC\r\nCybercrime , Cybercrime as-a-service , Fraud Management \u0026 Cybercrime\r\nBrazilian Car Rental Firm Partially Restores Website • January 11, 2022    \r\nSnapshot from Localiza's Facebook page\r\nThe Lapsus$ ransomware group's latest victim is Brazilian car rental firm Localiza.\r\nSee Also: AI Pushes Cyberattacks to New Speed Levels\r\n\"We announce Localiza as a victim, this was one of the largest car rental(s) in Latin America/the world. Now it's a\r\nporn site,\" according to a message on the ransomware group's Telegram account, accessed by Information Security\r\nMedia Group.\r\nAnyone visiting the website of Localiza was redirected to a porn site between 2:30 a.m. and 4:00 a.m. Brazil time\r\non Tuesday. The company appears to have restored user access to localiza.com's home page after 4:00 a.m. Brazil\r\ntime the same day, although other functionality on the website remain inaccessible, with an error message:\r\n\"Inaccessible due to a DNS error.\"\r\nLocaliza, which was reportedly set to acquire the second-largest car rental and leasing company in the market,\r\nUnidas, did not respond to ISMG's request for technical details of the cyberattack and ransomware demands.\r\nhttps://www.databreachtoday.com/lapsus-attacks-localiza-redirects-users-to-porn-site-a-18286\r\nPage 1 of 4\n\nLast week, the Lapsus$ ransomware group's cyberattack on Portugal-based news publication Expresso and TV\r\nchannel SIC knocked out the media outlets' websites for more than three days. Expresso and SIC are owned by\r\nImpresa Sociedade Gestora de Participacoes Sociais SA, Portugal's largest media conglomerate.\r\nOn Saturday, following the attack, the Lapsus$ group said on its Telegram page: \"News coming soon. Busy Days.\"\r\nThree days later, the group struck Localiza.\r\nSnapshot of Lapsus$ group's Telegram post from group's Telegram account)\r\nWith the attack on Localiza, the Lapsus$ ransomware group appears to be on a streak of successfully targeting\r\nmajor Portuguese-speaking companies. Portugal-based Expresso and SIC catered to the Portuguese-speaking\r\npopulace in Portugal and Brazil.\r\nBased on analysis of the Lapsus$ group's website and Telegram page, the threat actor is financially motivated and\r\ndoes not target a specific sector, Avkash Kathiriya, vice president of research and innovation at cybersecurity firm\r\nCyware, told ISMG in the aftermath of the ransomware attack against Expresso and SIC.\r\nA fairly unknown bad actor until recently, the Lapsus$ group's recent attack streak started in December 2021,\r\nwhen it targeted Brazil's Ministry of Health and stole close to 50 TB of data, according to Kathiriya.\r\nIt next hit Claro, a telecom company based in Brazil, and stole 10,000 TB of data, Kathiriya tells ISMG.\r\nLocaliza Incident Likely a DNS Attack\r\nWhile the Localiza attack does not appear to be a denial of service attack that typically aims to overwhelm a\r\ncompany's systems, causing them to crash, rerouting traffic to PornHub likely indicates a DNS spoofing attack. In\r\nhttps://www.databreachtoday.com/lapsus-attacks-localiza-redirects-users-to-porn-site-a-18286\r\nPage 2 of 4\n\nthe latter type of attack, hackers reroute traffic away from the real DNS servers and redirect them to a \"pirate\"\r\nserver.\r\nSecurity researcher and threat hunter Marc Reuf tells ISMG that although it's difficult to analyze the incident with\r\nthe information available, he assumes that a break-in on the web server was possible, which would have allowed\r\nthe attackers to redirect requests to the service.\r\n\"In most cases, such attacks are realized due to weaknesses in web applications. But it may also have been a\r\nproblem of the web server itself,\" Reuf says.\r\nHow Hackers Carry Out a DNS Attack\r\nJorge Orchilles, chief technology officer at Arlington-based cybersecurity firm SCYTHE and an instructor and\r\nauthor at the SANS Institute, tells ISMG that a domain such as http://localiza.com may be redirected to another\r\nsite through the DNS.\r\nOrchilles says that a hacker can use a website such as whois.domaintools.com to find out the domain registrar of\r\nan organization. In Localiza's case, the domain registrar is Network Solutions.\r\n\"A malicious actor may then gain administrative privileges to the account and make the change there,\" he says.\r\nSource: whois.domaintools\r\nAnother option for hackers would be to make the change in the DNS server themselves. For Localiza, the \"whois\r\nlookup\" can tell hackers that there are four DNS servers for localiza.com. It also lists the number of domains\r\nunder each of these servers, which is indicated in the red box in the above image.\r\nhttps://www.databreachtoday.com/lapsus-attacks-localiza-redirects-users-to-porn-site-a-18286\r\nPage 3 of 4\n\nOrchilles says that attacks on DNS redirection are not very common. He also says that the Lapsus$ group seems to\r\nbe focused on ransomware, and this behavior is not consistent with its previous attacks, although the group\r\nremains focused on Portuguese-speaking targets.\r\nSource: https://www.databreachtoday.com/lapsus-attacks-localiza-redirects-users-to-porn-site-a-18286\r\nhttps://www.databreachtoday.com/lapsus-attacks-localiza-redirects-users-to-porn-site-a-18286\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.databreachtoday.com/lapsus-attacks-localiza-redirects-users-to-porn-site-a-18286" ], "report_names": [ "lapsus-attacks-localiza-redirects-users-to-porn-site-a-18286" ], "threat_actors": [ { "id": "be5097b2-a70f-490f-8c06-250773692fae", "created_at": "2022-10-27T08:27:13.22631Z", "updated_at": "2026-04-10T02:00:05.311385Z", "deleted_at": null, "main_name": "LAPSUS$", "aliases": [ "LAPSUS$", "DEV-0537", "Strawberry Tempest" ], "source_name": "MITRE:LAPSUS$", "tools": [ "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "d4b9608d-af69-43bc-a08a-38167ac6306a", "created_at": "2023-01-06T13:46:39.335061Z", "updated_at": "2026-04-10T02:00:03.291149Z", "deleted_at": null, "main_name": "LAPSUS", "aliases": [ "Lapsus", "LAPSUS$", "DEV-0537", "SLIPPY SPIDER", "Strawberry Tempest", "UNC3661" ], "source_name": "MISPGALAXY:LAPSUS", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2347282d-6b88-4fbe-b816-16b156c285ac", "created_at": "2024-06-19T02:03:08.099397Z", "updated_at": "2026-04-10T02:00:03.663831Z", "deleted_at": null, "main_name": "GOLD RAINFOREST", "aliases": [ "Lapsus$", "Slippy Spider ", "Strawberry Tempest " ], "source_name": "Secureworks:GOLD RAINFOREST", "tools": [ "Mimikatz" ], "source_id": "Secureworks", "reports": null }, { "id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b", "created_at": "2022-10-25T16:07:24.503878Z", "updated_at": "2026-04-10T02:00:05.014316Z", "deleted_at": null, "main_name": "Lapsus$", "aliases": [ "DEV-0537", "G1004", "Slippy Spider", "Strawberry Tempest" ], "source_name": "ETDA:Lapsus$", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434682, "ts_updated_at": 1775791726, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/aeffc0b09ada0828d13998540f4e429f1b311b3f.pdf", "text": "https://archive.orkl.eu/aeffc0b09ada0828d13998540f4e429f1b311b3f.txt", "img": "https://archive.orkl.eu/aeffc0b09ada0828d13998540f4e429f1b311b3f.jpg" } }