{
	"id": "6db13f98-96ea-4f2b-ac79-82209c61efb7",
	"created_at": "2026-04-06T00:21:48.623944Z",
	"updated_at": "2026-04-10T13:13:05.764907Z",
	"deleted_at": null,
	"sha1_hash": "b15e090a0455e43398c357654de08d5e49b464d9",
	"title": "Lapsus$ Ransomware Gang – A Malware in Disguise",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 235042,
	"plain_text": "Lapsus$ Ransomware Gang – A Malware in Disguise\r\nBy etal\r\nPublished: 2022-03-07 · Archived: 2026-04-02 11:12:32 UTC\r\n07/03/2022\r\nLapsus$ Ransomware gang uses stolen source code to disguise malware files as\r\ntrustworthy. Check Point customers remain protected\r\n Background\r\nA ransomware gang named Lapsus$, which took responsibility for last week’s breach on the giant chip\r\nfirm NVidia, claims it has now managed to breach the Korean manufacturer Samsung, and published 190GB of\r\nsensitive data online.\r\nBreaches to major companies aren’t a new thing, though in this case the attacker has not just stolen credentials or\r\nbusiness related content, it went directly to the crown jewel, which is the source code of some of the companies’\r\nproprietary firmware.\r\nSupply chain attacks have grown to unprecedented sizes in recent years\r\nHaving possession and controls over such source codes might create a massive supply chain reaction, which can\r\nlead to numerous organizations and machines being infected and harmed as both, NVidia’s and Samsung’s\r\nfirmware and hardware are massively distributed globally.\r\nThe scenario, later described in details, enables malware to enter machines, even if these are supposedly protected\r\nby security technology, by having stolen certificates signed and verified as legitimate and trustworthy, when in\r\nfact there are malware in disguise.\r\nAs well as being one of the top trends in the global cyber security landscape globally, supply chain attacks have\r\nincreased in numbers and reach over the past year, , even compromising major organizations like US government\r\ndepartments, such as homeland security offices.\r\nIn their official public response, NVidia announced: “We have no evidence of ransomware being deployed on the\r\nNVIDIA environment or that this is related to the Russia-Ukraine conflict. However, we are aware that the threat\r\nactor took employee passwords and some NVIDIA proprietary information from our systems and has begun\r\nleaking it online.”\r\nSamsung officially responded and confirmed the breach on Monday, March 7th: “There was a security breach\r\nrelating to certain internal company data,” said a Samsung official. “According to our initial analysis, the breach\r\ninvolves some source code relating to the operation of Galaxy devices, but does not include the personal\r\nhttps://blog.checkpoint.com/2022/03/07/lapsus-ransomware-gang-uses-stolen-source-code-to-disguise-malware-files-as-trustworthy-check-point-customers-remain-protected/\r\nPage 1 of 5\n\ninformation of our consumers or employees. Currently, we do not anticipate any impact to our business or\r\ncustomers”\r\nWhat do we know on the recent breaches by Lapsus$?\r\nThrough an official notice, NVidia acknowledged that they became aware of “a cyber security incident, which\r\nimpacted IT resources. Lapsus$ claimed responsibility and were asking Nvidia to remove its lite hash rate (LHR)\r\nfeature. The LHR was created to limit Ethereum mining capabilities in its RTX 30 series graphics cards, as the\r\ncryptomining community depleted the stock in early 2021. The group is also asking Nvidia to open-source its\r\nGPU drivers for macOS, Windows, and Linux devices.\r\nFailing to meet their demands, Lapsus$ threatened to publish NVidia’s source code, which is used in drivers and\r\nfirmware. Yet, the gang did not stop there. On March 5th they published nearly 190GB of sensitive\r\ndate obtained from the Korean technology giant, Samsung.\r\nThe group first published a snapshot of C/C++ instructions on Samsung´s software followed with a description of\r\nthe upcoming leak, stating that it included confidential Samsung´s source code\r\nSource: Telegram\r\nhttps://blog.checkpoint.com/2022/03/07/lapsus-ransomware-gang-uses-stolen-source-code-to-disguise-malware-files-as-trustworthy-check-point-customers-remain-protected/\r\nPage 2 of 5\n\nIn a later official confirmation, Samsung did confirm that almost 200GB of confidential data which includes\r\nsource code for various technologies and algorithms for biometric unlock operations has been breached.\r\nHow can stolen signed certificates deliver malware?\r\nAs part of the NVidia´s leak were indeed two stolen code-signing certificates used by NVidia developers to sign\r\ntheir drivers and executables.\r\nAccording to different sources, attackers already started using this code signing certificates to sign malware so it\r\nwill appear to be dependable and go through Windows´ screening to be loaded and executed.\r\nSource: Twitter\r\nCode signing certificate actually enables a digital signature on executables and drivers to allow them and mark\r\nthem as “cleared”. Using these stolen certificates, attackers are practically disguising files and executables as\r\nlegitimate and might bypass security means, allowing malware to be uploaded to Windows.\r\nhttps://blog.checkpoint.com/2022/03/07/lapsus-ransomware-gang-uses-stolen-source-code-to-disguise-malware-files-as-trustworthy-check-point-customers-remain-protected/\r\nPage 3 of 5\n\nSource: Telegram\r\nThe Samsung leak also allegedly includes bootloader source code for recent Samsung´s devices, algorithms for all\r\nbiometric unlock operations, source code for Samsung’s activation servers, the full source code used to\r\nauthenticate Samsung accounts, and secret Qualcomm source code.\r\nCheck Point Research´s (CPR) teams are constantly monitoring the situation in search for additional potential\r\nthreats that might surface. We will update accordingly.\r\nPrevention first – What you need to do to remain protected\r\nhttps://blog.checkpoint.com/2022/03/07/lapsus-ransomware-gang-uses-stolen-source-code-to-disguise-malware-files-as-trustworthy-check-point-customers-remain-protected/\r\nPage 4 of 5\n\nOrganizations should be mainly concerned about malware penetration into their corporate network via the\r\naforementioned stolen certificates.\r\nUnfortunately, some security solutions in the market still expose organizations to this supply chain threat, as they\r\nseem to automatically revoke the stolen certificates, most probably since they consider the vendor who produced\r\nthe certificate as trusted by default.\r\nTo keep your entire IT infrastructure safe, we recommend ensuring your network security gateways, as well as\r\nyour endpoint device security solutions, have been updated with the appropriate protection against the stolen\r\ncertificates. We also recommend that you download software updates from the formal vendor website and update\r\nyour entire workforce to do the same.\r\nCheck Point´s customers remain protected\r\nCheck Point´s customers gain preemptive protection from any supply chain attack that may arise from the stolen\r\ncertificates.\r\nUnfortunately, some security solutions in the market still expose organizations to this supply chain threat, as they\r\nseem to automatically approve the stolen certificates, even though they’ve already been revoked, most probably\r\nsince they consider the vendor who produced the certificate as trusted by default.\r\nWhether you’re using Check Point to secure your network cloud or workforce, you gain accurate prevention\r\nagainst the threat mentioned above through Check Point ThreatCloud.\r\nThreatCloud combines 60+ threat prevention and AI technologies with globally-shared threat intelligence derived\r\nfrom hundreds of millions of sensors worldwide, and enriched with insights from Check Point Research.\r\nThe products below leverage  Check Point ThreatCloud’s threat emulation service, an innovative zero-day\r\nsandboxing technology, to detect and block these stolen certificates from penetrating. This process is fully\r\nautomated and does not require any action by the user.\r\nMore specifically:\r\nCheck Point Quantum security gatewayswill protect your network and data centers from malware.\r\nCheck Point Harmony Endpoint, complete endpoint protection, and EDR solution will protect your\r\nemployees from downloading malicious files or executables to work laptops and PCs and prevent data leak\r\nand lateral movement of malware to other systems.\r\nCheck Point Harmony Mobile, the industry’s leading Mobile Threat Defense solution, will prevent\r\nemployees from downloading malicious files and applications and therefore prevent the compromise of\r\nsensitive business data.\r\nSource: https://blog.checkpoint.com/2022/03/07/lapsus-ransomware-gang-uses-stolen-source-code-to-disguise-malware-files-as-trustworthy-ch\r\neck-point-customers-remain-protected/\r\nhttps://blog.checkpoint.com/2022/03/07/lapsus-ransomware-gang-uses-stolen-source-code-to-disguise-malware-files-as-trustworthy-check-point-customers-remain-protected/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.checkpoint.com/2022/03/07/lapsus-ransomware-gang-uses-stolen-source-code-to-disguise-malware-files-as-trustworthy-check-point-customers-remain-protected/"
	],
	"report_names": [
		"lapsus-ransomware-gang-uses-stolen-source-code-to-disguise-malware-files-as-trustworthy-check-point-customers-remain-protected"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "be5097b2-a70f-490f-8c06-250773692fae",
			"created_at": "2022-10-27T08:27:13.22631Z",
			"updated_at": "2026-04-10T02:00:05.311385Z",
			"deleted_at": null,
			"main_name": "LAPSUS$",
			"aliases": [
				"LAPSUS$",
				"DEV-0537",
				"Strawberry Tempest"
			],
			"source_name": "MITRE:LAPSUS$",
			"tools": [
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d4b9608d-af69-43bc-a08a-38167ac6306a",
			"created_at": "2023-01-06T13:46:39.335061Z",
			"updated_at": "2026-04-10T02:00:03.291149Z",
			"deleted_at": null,
			"main_name": "LAPSUS",
			"aliases": [
				"Lapsus",
				"LAPSUS$",
				"DEV-0537",
				"SLIPPY SPIDER",
				"Strawberry Tempest",
				"UNC3661"
			],
			"source_name": "MISPGALAXY:LAPSUS",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2347282d-6b88-4fbe-b816-16b156c285ac",
			"created_at": "2024-06-19T02:03:08.099397Z",
			"updated_at": "2026-04-10T02:00:03.663831Z",
			"deleted_at": null,
			"main_name": "GOLD RAINFOREST",
			"aliases": [
				"Lapsus$",
				"Slippy Spider ",
				"Strawberry Tempest "
			],
			"source_name": "Secureworks:GOLD RAINFOREST",
			"tools": [
				"Mimikatz"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b",
			"created_at": "2022-10-25T16:07:24.503878Z",
			"updated_at": "2026-04-10T02:00:05.014316Z",
			"deleted_at": null,
			"main_name": "Lapsus$",
			"aliases": [
				"DEV-0537",
				"G1004",
				"Slippy Spider",
				"Strawberry Tempest"
			],
			"source_name": "ETDA:Lapsus$",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434908,
	"ts_updated_at": 1775826785,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b15e090a0455e43398c357654de08d5e49b464d9.pdf",
		"text": "https://archive.orkl.eu/b15e090a0455e43398c357654de08d5e49b464d9.txt",
		"img": "https://archive.orkl.eu/b15e090a0455e43398c357654de08d5e49b464d9.jpg"
	}
}