G1004: LAPSUS$
LAPSUS$ is cyber criminal threat group that has been active since at least mid-2021. LAPSUS$ specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.[1][2][3]
Analyst context for executives and security teams
LAPSUS$ matters because ATT&CK describes it as a cyber criminal group focused on large-scale social engineering and extortion, including destructive attacks without ransomware. For leaders, the key lesson is that resilience cannot depend only on malware or ransomware detection: identity abuse, cloud account control, SaaS data exposure, help-desk/social-engineering readiness, and destructive recovery plans are central to risk reduction.
Executive priority
Prioritize questions that expose whether the organization can withstand identity-led extortion and disruption: Are privileged domain and cloud accounts tightly governed? Can the SOC see suspicious account, MFA, email forwarding, SaaS repository, and remote-access activity? Are third-party trusted relationships reviewed and monitored? Are destructive scenarios covered by backup, recovery, legal, communications, and incident-response playbooks? This object is especially relevant to business continuity, audit evidence for access controls, and executive incident decision-making because the described behavior spans credential access, cloud persistence, data collection, and impact.
Technical view
ATT&CK does not provide a detection section for this group, so defenders should validate coverage through the related techniques. Focus on identity and access paths: Valid Accounts, Cloud Accounts, External Remote Services, MFA interception, cloud role additions, cloud account creation, domain account and group discovery, NTDS/DCSync credential access, and Mimikatz use. Also validate SaaS and collaboration collection visibility for SharePoint, Confluence, code repositories, messaging applications, local system data, and email forwarding rules. Impact readiness should include monitoring and response for data destruction and service stop activity. Because the group platforms are not specified, use the platforms from the related techniques to scope control validation across Windows, identity providers, SaaS/Office Suite, IaaS, Linux/macOS, ESXi, containers, network devices, and mobile where those services exist locally.
Likely telemetry
- Identity provider sign-in, MFA, conditional access, role assignment, and account creation logs
- Cloud control-plane audit logs for IAM changes, privileged role grants, and new accounts
- VPN, remote access, and external service authentication logs
- Windows domain controller security logs, directory replication indicators, and privileged group activity
- Endpoint process, credential access, and administrative tool execution telemetry, especially on Windows systems where applicable
Detection direction
- Do not rely on malware signatures alone; tune for identity, SaaS, cloud administration, and destructive behavior patterns reflected in the related ATT&CK techniques.
- Correlate unusual successful logins, MFA challenges, remote access sessions, privileged role changes, and new cloud accounts with subsequent repository, mailbox, or collaboration-data access.
- Review privileged Active Directory activity for domain group discovery, domain account enumeration, NTDS access, DCSync-like replication behavior, and credential dumping indicators such as Mimikatz where relevant.
- Baseline normal SaaS repository and messaging access so high-volume or unusual access to SharePoint, Confluence, code repositories, and messaging applications can be investigated with fewer false positives.
- Monitor email forwarding rule creation and mailbox configuration changes, especially after suspicious account activity or credential reset events.
Mitigation priorities
- Strengthen identity governance first: least privilege, privileged access review, monitored administrative roles, and rapid disablement paths for compromised accounts.
- Harden MFA and account recovery processes, including help-desk verification and SIM-swap-aware procedures where mobile numbers are used for authentication or recovery.
- Reduce blast radius in cloud and SaaS by limiting who can create accounts, add roles, set forwarding rules, and access sensitive repositories.
- Review and monitor external remote services and trusted third-party access with the same rigor as internal privileged access.
- Protect domain controllers and credential stores through tight administrative separation, monitoring for replication abuse, and restricted access to NTDS-related data.
Analyst notes and limits
The most defensible Glexia takeaway is identity-centric resilience. The official description emphasizes social engineering, extortion, global targeting across multiple sectors, and destructive attacks without ransomware. The relationship set expands the defensive focus into credential access, valid accounts, cloud/SaaS persistence, data collection, remote services, trusted relationships, and impact techniques. Use the aliases LAPSUS$, DEV-0537, and Strawberry Tempest when normalizing threat intelligence and detection content.
ATT&CK provides no official detection text and no group-level platforms or tactics for this object. Platform and tactic guidance here is derived only from the supplied related techniques and software, so each organization must validate relevance against its own identity providers, SaaS estate, cloud services, endpoints, remote-access architecture, and logging coverage. This summary does not assert current activity, specific victim exposure, or guaranteed detection coverage.
LAPSUS$
LAPSUS$ is cyber criminal threat group that has been active since at least mid-2021. LAPSUS$ specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1589 | Gather Victim Identity Information | LAPSUS$ has gathered detailed information of target employees to enhance their social engineering lures.CitationMSTIC DEV-0537 Mar 2022 |
| Enterprise | T1005 | Data from Local System | LAPSUS$ uploaded sensitive files, information, and credentials from a targeted organization for extortion or public release.CitationMSTIC DEV-0537 Mar 2022 |
| Enterprise | T1069.002 | Domain Groups Sub-technique | LAPSUS$ has used the AD Explorer tool to enumerate groups on a victim's network.CitationMSTIC DEV-0537 Mar 2022 |
| Enterprise | T1213.001 | Confluence Sub-technique | LAPSUS$ has searched a victim's network for collaboration platforms like Confluence and JIRA to discover further high-privilege account credentials.CitationMSTIC DEV-0537 Mar 2022 |
| Enterprise | T1588.002 | Tool Sub-technique | LAPSUS$ has obtained tools such as RVTools and AD Explorer for their operations.CitationMSTIC DEV-0537 Mar 2022CitationNCC Group LAPSUS Apr 2022 |
| Enterprise | T1485 | Data Destruction | LAPSUS$ has deleted the target's systems and resources both on-premises and in the cloud.CitationMSTIC DEV-0537 Mar 2022CitationNCC Group LAPSUS Apr 2022 |
| Enterprise | T1213.003 | Code Repositories Sub-technique | LAPSUS$ has searched a victim's network for code repositories like GitLab and GitHub to discover further high-privilege account credentials.CitationMSTIC DEV-0537 Mar 2022CitationNCC Group LAPSUS Apr 2022 |
| Enterprise | T1213.002 | Sharepoint Sub-technique | LAPSUS$ has searched a victim's network for collaboration platforms like SharePoint to discover further high-privilege account credentials.CitationMSTIC DEV-0537 Mar 2022CitationNCC Group LAPSUS Apr 2022 |
| Enterprise | T1583.003 | Virtual Private Server Sub-technique | LAPSUS$ has used VPS hosting providers for infrastructure.CitationMSTIC DEV-0537 Mar 2022 |
| Enterprise | T1591.004 | Identify Roles Sub-technique | LAPSUS$ has gathered detailed knowledge of team structures within a target organization.CitationMSTIC DEV-0537 Mar 2022 |
| Enterprise | T1090 | Proxy | LAPSUS$ has leverage NordVPN for its egress points when targeting intended victims.CitationMSTIC DEV-0537 Mar 2022 |
| Enterprise | T1087.002 | Domain Account Sub-technique | LAPSUS$ has used the AD Explorer tool to enumerate users on a victim's network.CitationMSTIC DEV-0537 Mar 2022CitationNCC Group LAPSUS Apr 2022 |
| Enterprise | T1133 | External Remote Services | LAPSUS$ has gained access to internet-facing systems and applications, including virtual private network (VPN), remote desktop protocol (RDP), and virtual desktop infrastructure (VDI) including Citrix. CitationMSTIC DEV-0537 Mar 2022CitationNCC Group LAPSUS Apr 2022 |
| Enterprise | T1078 | Valid Accounts | LAPSUS$ has used compromised credentials and/or session tokens to gain access into a victim's VPN, VDI, RDP, and IAMs.CitationMSTIC DEV-0537 Mar 2022CitationNCC Group LAPSUS Apr 2022 |
| Enterprise | T1588.001 | Malware Sub-technique | LAPSUS$ acquired and used the Redline password stealer in their operations.CitationMSTIC DEV-0537 Mar 2022 |
| Enterprise | T1598.004 | Spearphishing Voice Sub-technique | LAPSUS$ has called victims' help desk to convince the support personnel to reset a privileged account’s credentials.CitationMSTIC DEV-0537 Mar 2022 |
| Enterprise | T1204 | User Execution | |
| Enterprise | T1552.008 | Chat Messages Sub-technique | LAPSUS$ has targeted various collaboration tools like Slack, Teams, JIRA, Confluence, and others to hunt for exposed credentials to support privilege escalation and lateral movement.CitationMSTIC DEV-0537 Mar 2022 |
| Enterprise | T1489 | Service Stop | LAPSUS$ has shut down virtual machines from within a victim's on-premise VMware ESXi infrastructure.CitationNCC Group LAPSUS Apr 2022 |
| Enterprise | T1593.003 | Code Repositories Sub-technique | LAPSUS$ has searched public code repositories for exposed credentials.CitationMSTIC DEV-0537 Mar 2022 |
| Enterprise | T1136.003 | Cloud Account Sub-technique | LAPSUS$ has created global admin accounts in the targeted organization's cloud instances to gain persistence.CitationMSTIC DEV-0537 Mar 2022 |
| Enterprise | T1114.003 | Email Forwarding Rule Sub-technique | LAPSUS$ has set an Office 365 tenant level mail transport rule to send all mail in and out of the targeted organization to the newly created account.CitationMSTIC DEV-0537 Mar 2022 |
| Enterprise | T1591.002 | Business Relationships Sub-technique | LAPSUS$ has gathered detailed knowledge of an organization's supply chain relationships.CitationMSTIC DEV-0537 Mar 2022 |
| Enterprise | T1578.003 | Delete Cloud Instance Sub-technique | LAPSUS$ has deleted the target's systems and resources in the cloud to trigger the organization's incident and crisis response process.CitationMSTIC DEV-0537 Mar 2022 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | LAPSUS$ has obtained passwords and session tokens with the use of the Redline password stealer.CitationMSTIC DEV-0537 Mar 2022 |
| Enterprise | T1531 | Account Access Removal | LAPSUS$ has removed a targeted organization's global admin accounts to lock the organization out of all access.CitationMSTIC DEV-0537 Mar 2022 |
| Enterprise | T1589.001 | Credentials Sub-technique | LAPSUS$ has gathered user identities and credentials to gain initial access to a victim's organization; the group has also called an organization's help desk to reset a target's credentials.CitationMSTIC DEV-0537 Mar 2022CitationNCC Group LAPSUS Apr 2022 |
| Enterprise | T1068 | Exploitation for Privilege Escalation | LAPSUS$ has exploited unpatched vulnerabilities on internally accessible servers including JIRA, GitLab, and Confluence for privilege escalation.CitationMSTIC DEV-0537 Mar 2022 |
| Enterprise | T1621 | Multi-Factor Authentication Request Generation | LAPSUS$ has spammed target users with MFA prompts in the hope that the legitimate user will grant necessary approval.CitationMSTIC DEV-0537 Mar 2022 |
| Enterprise | T1098.003 | Additional Cloud Roles Sub-technique | LAPSUS$ has added the global admin role to accounts they have created in the targeted organization's cloud instances.CitationMSTIC DEV-0537 Mar 2022 |
| Enterprise | T1003.006 | DCSync Sub-technique | LAPSUS$ has used DCSync attacks to gather credentials for privilege escalation routines.CitationMSTIC DEV-0537 Mar 2022 |
| Enterprise | T1586.002 | Email Accounts Sub-technique | LAPSUS$ has payed employees, suppliers, and business partners of target organizations for credentials.CitationMSTIC DEV-0537 Mar 2022CitationNCC Group LAPSUS Apr 2022 |
| Enterprise | T1213.005 | Messaging Applications Sub-technique | LAPSUS$ has searched a victim's network for organization collaboration channels like MS Teams or Slack to discover further high-privilege account credentials.CitationMSTIC DEV-0537 Mar 2022 |
| Enterprise | T1589.002 | Email Addresses Sub-technique | LAPSUS$ has gathered employee email addresses, including personal accounts, for social engineering and initial access efforts.CitationMSTIC DEV-0537 Mar 2022 |
| Enterprise | T1584.002 | DNS Server Sub-technique | LAPSUS$ has reconfigured a victim's DNS records to actor-controlled domains and websites.CitationNCC Group LAPSUS Apr 2022 |
| Enterprise | T1684.001 | Impersonation Sub-technique | LAPSUS$ has called victims' help desk and impersonated legitimate users with previously gathered information in order to gain access to privileged accounts.CitationMSTIC DEV-0537 Mar 2022 |
| Enterprise | T1003.003 | NTDS Sub-technique | LAPSUS$ has used Windows built-in tool `ntdsutil` to extract the Active Directory (AD) database.CitationMSTIC DEV-0537 Mar 2022 |
| Enterprise | T1555.005 | Password Managers Sub-technique | LAPSUS$ has accessed local password managers and databases to obtain further credentials from a compromised network.CitationNCC Group LAPSUS Apr 2022 |
| Enterprise | T1199 | Trusted Relationship | LAPSUS$ has accessed internet-facing identity providers such as Azure Active Directory and Okta to target specific organizations.CitationMSTIC DEV-0537 Mar 2022 |
| Enterprise | T1597.002 | Purchase Technical Data Sub-technique | LAPSUS$ has purchased credentials and session tokens from criminal underground forums.CitationMSTIC DEV-0537 Mar 2022 |
| Enterprise | T1578.002 | Create Cloud Instance Sub-technique | LAPSUS$ has created new virtual machines within the target's cloud environment after leveraging credential access to cloud assets.CitationMSTIC DEV-0537 Mar 2022 |
| Enterprise | T1078.004 | Cloud Accounts Sub-technique | LAPSUS$ has used compromised credentials to access cloud assets within a target organization.CitationMSTIC DEV-0537 Mar 2022 |
| Enterprise | T1111 | Multi-Factor Authentication Interception | LAPSUS$ has replayed stolen session token and passwords to trigger simple-approval MFA prompts in hope of the legitimate user will grant necessary approval.CitationMSTIC DEV-0537 Mar 2022 |
Groups, software, and campaigns
S0002: Mimikatz
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.1 | Current bundle | 9885c7953881… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
BBC LAPSUS Apr 2022
BBC. (2022, April 1). LAPSUS: Two UK Teenagers Charged with Hacking for Gang. Retrieved June 9, 2022.
Open source URL -
[2]
MSTIC DEV-0537 Mar 2022
MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022.
Open source URL -
[3]
UNIT 42 LAPSUS Mar 2022
UNIT 42. (2022, March 24). Threat Brief: Lapsus$ Group. Retrieved May 17, 2022.
Open source URL -
[4]
DEV-0537
(Citation: MSTIC DEV-0537 Mar 2022)
-
[5]
Microsoft Threat Actor Naming July 2023
Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Open source URL -
[6]
Strawberry Tempest
(Citation: Microsoft Threat Actor Naming July 2023)
-
[7]
mitre-attack G1004Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.