{ "id": "0f605135-702c-4016-809c-440c14d5a066", "created_at": "2026-04-06T00:15:34.79202Z", "updated_at": "2026-04-10T13:13:00.320402Z", "deleted_at": null, "sha1_hash": "c84b9a87c69fbf1fc074571a9ac8f16631cf8603", "title": "Threat Brief: Lapsus$ Group", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 559764, "plain_text": "Threat Brief: Lapsus$ Group\r\nBy Unit 42\r\nPublished: 2022-03-24 · Archived: 2026-04-05 13:33:58 UTC\r\nExecutive Summary\r\nThe Lapsus$ Group threat actor has grown in just a few months from launching a handful of destructive attacks to\r\nstealing and publishing source code of multiple top-tier technology companies.\r\nThough sometimes called a ransomware group in reports, Lapsus$ is notable for not deploying ransomware in\r\nextortion attempts. In today’s environment, threat actors favor using ransomware to encrypt data and systems and\r\noften extort victims for significant amounts of cryptocurrency in exchange for decryption keys, sometimes turning\r\nup the pressure with the threat of publishing stolen data. Lapsus$, however, is unusual in its approach – for this\r\ngroup, notoriety most often appears to be the goal, rather than financial gain.\r\nUnit 42 has helped organizations respond to multiple Lapsus$ attacks. The Lapsus$ Group doesn’t employ\r\nmalware in breached victim environments, doesn’t encrypt data and in most cases, doesn’t actually employ\r\nextortion. They focus on using a combination of stolen credentials and social engineering to gain access to\r\nvictims. We’ve also seen them solicit employees on Telegram for their login credentials at specific companies in\r\nindustries including: telecom, software, gaming, hosting providers and call centers.\r\nHowever, the group’s attacks and leaking of stolen data even without extortion can be very damaging. In addition,\r\nwe’ve seen destructive Lapsus$ attacks where the actors got access to an organization’s cloud environment, wiped\r\nsystems and destroyed over a thousand virtual machines.\r\nAlthough there are no public indicators of compromise (IoCs), and no tactics, techniques and procedures (TTPs)\r\nthat are unique to Lapsus$ Group, here we will summarize what is known of this threat actor to better enable\r\ndefenders in understanding and mitigating this threat.\r\nEarly Targets of Lapsus$\r\nWe first observed the “Lapsus$” handle mid-2021, but the first attack activity quoting that handle was in August\r\n2021, with some U.K. mobile phone customers reporting receiving threatening texts (Figure 1).\r\nhttps://unit42.paloaltonetworks.com/lapsus-group/\r\nPage 1 of 6\n\nFigure 1. Early Lapsus$ activity.\r\nIn December 2021, the Ministry of Health of Brazil fell victim to an attack claimed by Lapsus$ (Figure 2). This\r\nincluded the soon-to-be de rigueur data exfiltration and deletion technique, and also redirection of some DNS\r\nrecords. This was followed in short order by attacks on South American telecoms providers Claro and Embratel,\r\nBrazilian state-owned postal service “Correios,” and Portuguese media giant Impresa. This initial focus has led to\r\nspeculation that Lapsus$ Group may be Brazilian, although we understand the choice of targets to have been\r\ninfluenced by extended team members rather than the team leadership.\r\nFigure 2. Ministry of Health of Brazil defacement.\r\nEvolution of Targeted Organizations\r\nhttps://unit42.paloaltonetworks.com/lapsus-group/\r\nPage 2 of 6\n\nApart from Argentinian eCommerce provider Mercado Libre / Mercado Pago, subsequent victimology has\r\ndeparted South America and pivoted to focus on the high-tech sector.\r\nRecent public victims have included:\r\nNvidia\r\nSamsung\r\nUbisoft\r\nVodafone\r\nMicrosoft\r\nLG\r\nOkta\r\nIt should be understood that in addition there are likely any number of other victims, targeted by attacks not\r\nknown in the public sphere. It is likely that some victims are not the intended end-target, but are rather breached in\r\norder to gain access to their customers, or for example, to help bypass multi-factor authentication (MFA). To this\r\nend, we are aware of this actor’s involvement in vishing, SIM-swapping and soliciting third parties at providers\r\nfor insider access. For example, in the “proof” of the Okta breach posted on the Lapsus$ Group’s Telegram\r\nchannel, the actor states: “… our focus was ONLY on okta customers” (Figure 3).\r\nhttps://unit42.paloaltonetworks.com/lapsus-group/\r\nPage 3 of 6\n\nFigure 3. Okta breach evidence posted on the Lapsus$ Group’s Telegram channel.\r\nhttps://unit42.paloaltonetworks.com/lapsus-group/\r\nPage 4 of 6\n\nSeveral of the Lapsus$ Group’s attacks involved the theft and publication of source code. In the case of Nvidia, it\r\nwas observed as a non-financial extortion attempt. In other cases, for example that of Microsoft, there was simply\r\npublication without extortion, again supporting the understanding that the primary motivation of this actor is\r\nnotoriety rather than financial gain.\r\nHowever, as notoriety and success cause this group to grow, we should expect to see diversity of membership\r\nreflected in a diversity of victimology, TTPs and action-on-objective motivations.\r\nMitigation Actions\r\nOwing to the diversity of techniques used, and the lack of use of malware, there is no single defense against or\r\ndetection of Lapsus$ attacks specifically.\r\nA hallmark of this group is the diversity of techniques used both for initial access and action-on-objective.\r\nCredentials are harvested from dumps, purchased or spear-phished. When employed, various techniques to bypass\r\nMFA are observed – from social engineering, through SIM-swapping and even compromising MFA/telecoms\r\nproviders.\r\nZero Trust network architecture and strong security hygiene are the best defenses against this type of threat actor.\r\nIf Lapsus$ has purchased credentials for a network, they can effectively operate as an insider threat, taking\r\nadvantage of the same privileges the employee has inside the network.\r\nFocus on general information security best practices: MFA, access controls and network segmentation. Ensure\r\nyour organization has the ability to detect anomalous activity, including activity that involves trusted third parties\r\nin your environments, and protect against non-technical techniques such as vishing and SIM-swapping. Patching\r\nof internal systems that might support lateral movement and privilege escalation should be prioritized, as well as\r\nagainst known public exploits that these actors might employ.\r\nAlthough the commodity malware RedLine Stealer has been implicated for credential harvesting in some attacks,\r\nit’s unclear if this is first- or third-party, and it cannot be used as a definitive indicator of Lapsus$-specific activity.\r\nConclusion\r\nLapsus$ Group has made headlines recently for high-profile attacks, with an apparent goal of gaining notoriety.\r\nThey claim in some cases to have targeted organizations with the specific goal of gaining access to customers.\r\nWhile referred to as a ransomware group in many reports, the Lapsus$ Group is more accurately called an attack\r\ngroup. Most notably, their focus to date does not appear to have been on extortion and financial gain. Even\r\nwithout extortion, the group’s attacks and leaks of stolen information can be damaging.\r\nBecause the group uses a diversity of techniques for attacks, no single technique can protect against Lapsus$ or\r\ndetect its attacks. Because of this, we recommend that organizations focus on observing general information\r\nsecurity best practices as described in the Mitigation Actions section above.\r\nUnit 42, together with researchers at Unit 221b, identified the primary actor behind the Lapsus$ Group moniker in\r\n2021, and have been assisting law enforcement in their efforts to prosecute this group.\r\nhttps://unit42.paloaltonetworks.com/lapsus-group/\r\nPage 5 of 6\n\nIf you think you may be subject to an active attack or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call North America Toll-Free: 866.486.4842 (866.4.UNIT42), EMEA: +31.20.299.3130, APAC:\r\n+65.6983.8730, or Japan: +81.50.1790.0200.\r\nPalo Alto Networks will update this Threat Brief with new information and recommendations as they become\r\navailable.\r\nSource: https://unit42.paloaltonetworks.com/lapsus-group/\r\nhttps://unit42.paloaltonetworks.com/lapsus-group/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://unit42.paloaltonetworks.com/lapsus-group/" ], "report_names": [ "lapsus-group" ], "threat_actors": [ { "id": "be5097b2-a70f-490f-8c06-250773692fae", "created_at": "2022-10-27T08:27:13.22631Z", "updated_at": "2026-04-10T02:00:05.311385Z", "deleted_at": null, "main_name": "LAPSUS$", "aliases": [ "LAPSUS$", "DEV-0537", "Strawberry Tempest" ], "source_name": "MITRE:LAPSUS$", "tools": [ "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "d4b9608d-af69-43bc-a08a-38167ac6306a", "created_at": "2023-01-06T13:46:39.335061Z", "updated_at": "2026-04-10T02:00:03.291149Z", "deleted_at": null, "main_name": "LAPSUS", "aliases": [ "Lapsus", "LAPSUS$", "DEV-0537", "SLIPPY SPIDER", "Strawberry Tempest", "UNC3661" ], "source_name": "MISPGALAXY:LAPSUS", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2347282d-6b88-4fbe-b816-16b156c285ac", "created_at": "2024-06-19T02:03:08.099397Z", "updated_at": "2026-04-10T02:00:03.663831Z", "deleted_at": null, "main_name": "GOLD RAINFOREST", "aliases": [ "Lapsus$", "Slippy Spider ", "Strawberry Tempest " ], "source_name": "Secureworks:GOLD RAINFOREST", "tools": [ "Mimikatz" ], "source_id": "Secureworks", "reports": null }, { "id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b", "created_at": "2022-10-25T16:07:24.503878Z", "updated_at": "2026-04-10T02:00:05.014316Z", "deleted_at": null, "main_name": "Lapsus$", "aliases": [ "DEV-0537", "G1004", "Slippy Spider", "Strawberry Tempest" ], "source_name": "ETDA:Lapsus$", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434534, "ts_updated_at": 1775826780, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c84b9a87c69fbf1fc074571a9ac8f16631cf8603.pdf", "text": "https://archive.orkl.eu/c84b9a87c69fbf1fc074571a9ac8f16631cf8603.txt", "img": "https://archive.orkl.eu/c84b9a87c69fbf1fc074571a9ac8f16631cf8603.jpg" } }