{ "id": "80499a40-6cd1-49c4-95c9-43a98a9db547", "created_at": "2026-04-06T00:11:12.885636Z", "updated_at": "2026-04-10T03:34:59.513274Z", "deleted_at": null, "sha1_hash": "e283bb6c2c628e30255d1fc8385ebd734ea59738", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 94069, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 16:00:17 UTC\r\n Other threat group: Lapsus$\r\nNames\r\nLapsus$ (self given)\r\nDEV-0537 (Microsoft)\r\nStrawberry Tempest (Microsoft)\r\nSlippy Spider (CrowdStrike)\r\nG1004 (MITRE)\r\nCountry Brazil\r\nMotivation Financial gain\r\nFirst seen 2021\r\nDescription\r\n(Flashpoint) LAPSUS$ is an extortionist threat group that became active on\r\nDecember 10, 2921. Unlike the majority of extortionist groups that typically rely on\r\na combination of ransomware and data leaks, LAPSUS$ is focused on monetizing\r\ntheir operations exclusively through data leaks advertised on Telegram without the\r\nuse of ransomware.\r\nInitially, the group focused on data breaches against Latin American and Portuguese\r\ntargets but in late February 2022, LAPSUS$ began widening the scope of its\r\ntargeting by announcing it had successfully breached US-based graphics and\r\ncomputing chip manufacturer Nvidia. Since then, LAPSUS$ has continued to focus\r\non large-scale international technology companies, including Microsoft, Okta, and\r\nSamsung, as the financial incentive for stealing source code and extorting companies\r\nfor sensitive proprietary technical data is high.\r\nAround July 2025, ShinyHunters teamed up or merged with Subgroup: Scattered\r\nSpider. They share their Telegram channel also with Lapsus$, so they may all work\r\ntogether now – see the DataBreaches.net references in the Information section under\r\nShinyHunters.\r\nObserved Countries: Argentina, Brazil, Portugal, USA.\r\nTools used\r\nOperations performed Dec 2021 Brazil health ministry website hit by hackers, vaccination data targeted\r\n\u003chttps://www.reuters.com/technology/brazils-health-ministry-website-https://apt.etda.or.th/cgi-bin/showcard.cgi?u=ffca877d-5411-419c-ba3b-31924cc4e4af\r\nPage 1 of 5\n\nhit-by-hacker-attack-systems-down-2021-12-10/\u003e\nDec 2021\nThe Lapsus$ ransomware gang has hacked and is currently extorting\nImpresa, the largest media conglomerate in Portugal and the owner of\nSIC and Expresso, the country’s largest TV channel and weekly\nnewspaper, respectively.\nJan 2022\nLapsus$ Attacks Localiza, Redirects Users to Porn Site\nJan 2022\nOkta confirms 2.5% customers impacted by hack in January\nFeb 2022\nIn the wake of the attack last month on the Impresa group, the latest\nvictims – Correio da Manhã (the country’s most widely-read tabloid),\nSábado, Jornal de Negócios and CMTV – belong to the Cofina media\ngroup.\nFeb 2022\nCyberattack brings down Vodafone Portugal mobile, voice, and TV\nservices\nFeb 2022\nGPU giant NVIDIA is investigating a potential cyberattack\nMar 2022\nHackers leak 190GB of alleged Samsung data, source code\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=ffca877d-5411-419c-ba3b-31924cc4e4af\nPage 2 of 5\n\nMar 2022\nE-commerce giant Mercado Libre confirms source code data breach\nMar 2022\nLapsus$ Ransomware Group is hiring, it announced recruitment of\ninsiders\nMar 2022\nUbisoft confirms 'cyber security incident', resets staff passwords\nMar 2022\nLapsus$ hackers leak 37GB of Microsoft's alleged source code\nMar 2022\nGlobant confirms hack after Lapsus$ leaks 70GB of stolen data\nMar 2022\nLeaked Chats Show LAPSUS$ Stole T-Mobile Source Code\nSep 2022\nUber attributes hack to Lapsus$, working with FBI and DOJ on\ninvestigation\nSep 2022\n2K Games says hacked help desk targeted players with malware\nSep 2022\nRockstar confirms cyberattack, leak of confidential data including\nGTA 6 footage\nCounter operations\nMar 2022\nLapsus$ suspects arrested for Microsoft, Nvidia, Okta hacks\nApr 2022 Two teenagers charged in connection with investigation into hacking\ngroup\n\nlondon/news/2022/march/two-teenagers-charged-in-connection-with-investigation-into-hacking-group/\u003e\nAug 2022\nBrazilian police launch investigation targeting Lapsus$ group\nSep 2022\nUK Police arrests teen believed to be behind Uber, Rockstar hacks\nOct 2022\nBrazil arrests suspect believed to be a Lapsus$ gang member\nJul 2023\nBritish prosecutors say teen Lapsus$ member was behind hacks on\nUber, Rockstar\nAug 2023\nLapsus$ teen hackers convicted of high-profile cyberattacks\nDec 2023\nLapsus$ hacker behind GTA 6 leak gets indefinite hospital sentence\nInformation\nMITRE ATT\u0026CK Last change to this card: 16 August 2025\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=ffca877d-5411-419c-ba3b-31924cc4e4af\nPage 4 of 5\n\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=ffca877d-5411-419c-ba3b-31924cc4e4af\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=ffca877d-5411-419c-ba3b-31924cc4e4af\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=ffca877d-5411-419c-ba3b-31924cc4e4af" ], "report_names": [ "showcard.cgi?u=ffca877d-5411-419c-ba3b-31924cc4e4af" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "c071c8cd-f854-4bad-b28f-0c59346ec348", "created_at": "2023-11-08T02:00:07.132524Z", "updated_at": "2026-04-10T02:00:03.422366Z", "deleted_at": null, "main_name": "ShinyHunters", "aliases": [], "source_name": "MISPGALAXY:ShinyHunters", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6f7f2ed5-f30d-4a99-ab2d-f596c1d413b2", "created_at": "2025-10-24T02:04:50.086223Z", "updated_at": "2026-04-10T02:00:03.770068Z", "deleted_at": null, "main_name": "GOLD CRYSTAL", "aliases": [ "Scattered LAPSUS$ Hunters", "ShinyCorp", "ShinyHunters" ], "source_name": "Secureworks:GOLD CRYSTAL", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "be5097b2-a70f-490f-8c06-250773692fae", "created_at": "2022-10-27T08:27:13.22631Z", "updated_at": "2026-04-10T02:00:05.311385Z", "deleted_at": null, "main_name": "LAPSUS$", "aliases": [ "LAPSUS$", "DEV-0537", "Strawberry Tempest" ], "source_name": "MITRE:LAPSUS$", "tools": [ "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "d4b9608d-af69-43bc-a08a-38167ac6306a", "created_at": "2023-01-06T13:46:39.335061Z", "updated_at": "2026-04-10T02:00:03.291149Z", "deleted_at": null, "main_name": "LAPSUS", "aliases": [ "Lapsus", "LAPSUS$", "DEV-0537", "SLIPPY SPIDER", "Strawberry Tempest", "UNC3661" ], "source_name": "MISPGALAXY:LAPSUS", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2347282d-6b88-4fbe-b816-16b156c285ac", "created_at": "2024-06-19T02:03:08.099397Z", "updated_at": "2026-04-10T02:00:03.663831Z", "deleted_at": null, "main_name": "GOLD RAINFOREST", "aliases": [ "Lapsus$", "Slippy Spider ", "Strawberry Tempest " ], "source_name": "Secureworks:GOLD RAINFOREST", "tools": [ "Mimikatz" ], "source_id": "Secureworks", "reports": null }, { "id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b", "created_at": "2022-10-25T16:07:24.503878Z", "updated_at": "2026-04-10T02:00:05.014316Z", "deleted_at": null, "main_name": "Lapsus$", "aliases": [ "DEV-0537", "G1004", "Slippy Spider", "Strawberry Tempest" ], "source_name": "ETDA:Lapsus$", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null }, { "id": "d8dff631-87b0-4320-8352-becff28dbcf1", "created_at": "2022-10-25T16:07:24.565038Z", "updated_at": "2026-04-10T02:00:05.034516Z", "deleted_at": null, "main_name": "ShinyHunters", "aliases": [], "source_name": "ETDA:ShinyHunters", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434272, "ts_updated_at": 1775792099, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e283bb6c2c628e30255d1fc8385ebd734ea59738.pdf", "text": "https://archive.orkl.eu/e283bb6c2c628e30255d1fc8385ebd734ea59738.txt", "img": "https://archive.orkl.eu/e283bb6c2c628e30255d1fc8385ebd734ea59738.jpg" } }