Live Active security incident? Get immediate response
MITRE ATT&CK® Group

G1004: LAPSUS$

LAPSUS$ is cyber criminal threat group that has been active since at least mid-2021. LAPSUS$ specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.[1][2][3]

EnterpriseG1004GroupObject v2.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

LAPSUS$ matters because ATT&CK describes it as a cyber criminal group focused on large-scale social engineering and extortion, including destructive attacks without ransomware. For leaders, the key lesson is that resilience cannot depend only on malware or ransomware detection: identity abuse, cloud account control, SaaS data exposure, help-desk/social-engineering readiness, and destructive recovery plans are central to risk reduction.

Executive priority

Prioritize questions that expose whether the organization can withstand identity-led extortion and disruption: Are privileged domain and cloud accounts tightly governed? Can the SOC see suspicious account, MFA, email forwarding, SaaS repository, and remote-access activity? Are third-party trusted relationships reviewed and monitored? Are destructive scenarios covered by backup, recovery, legal, communications, and incident-response playbooks? This object is especially relevant to business continuity, audit evidence for access controls, and executive incident decision-making because the described behavior spans credential access, cloud persistence, data collection, and impact.

Technical view

ATT&CK does not provide a detection section for this group, so defenders should validate coverage through the related techniques. Focus on identity and access paths: Valid Accounts, Cloud Accounts, External Remote Services, MFA interception, cloud role additions, cloud account creation, domain account and group discovery, NTDS/DCSync credential access, and Mimikatz use. Also validate SaaS and collaboration collection visibility for SharePoint, Confluence, code repositories, messaging applications, local system data, and email forwarding rules. Impact readiness should include monitoring and response for data destruction and service stop activity. Because the group platforms are not specified, use the platforms from the related techniques to scope control validation across Windows, identity providers, SaaS/Office Suite, IaaS, Linux/macOS, ESXi, containers, network devices, and mobile where those services exist locally.

Likely telemetry

  • Identity provider sign-in, MFA, conditional access, role assignment, and account creation logs
  • Cloud control-plane audit logs for IAM changes, privileged role grants, and new accounts
  • VPN, remote access, and external service authentication logs
  • Windows domain controller security logs, directory replication indicators, and privileged group activity
  • Endpoint process, credential access, and administrative tool execution telemetry, especially on Windows systems where applicable

Detection direction

  • Do not rely on malware signatures alone; tune for identity, SaaS, cloud administration, and destructive behavior patterns reflected in the related ATT&CK techniques.
  • Correlate unusual successful logins, MFA challenges, remote access sessions, privileged role changes, and new cloud accounts with subsequent repository, mailbox, or collaboration-data access.
  • Review privileged Active Directory activity for domain group discovery, domain account enumeration, NTDS access, DCSync-like replication behavior, and credential dumping indicators such as Mimikatz where relevant.
  • Baseline normal SaaS repository and messaging access so high-volume or unusual access to SharePoint, Confluence, code repositories, and messaging applications can be investigated with fewer false positives.
  • Monitor email forwarding rule creation and mailbox configuration changes, especially after suspicious account activity or credential reset events.

Mitigation priorities

  • Strengthen identity governance first: least privilege, privileged access review, monitored administrative roles, and rapid disablement paths for compromised accounts.
  • Harden MFA and account recovery processes, including help-desk verification and SIM-swap-aware procedures where mobile numbers are used for authentication or recovery.
  • Reduce blast radius in cloud and SaaS by limiting who can create accounts, add roles, set forwarding rules, and access sensitive repositories.
  • Review and monitor external remote services and trusted third-party access with the same rigor as internal privileged access.
  • Protect domain controllers and credential stores through tight administrative separation, monitoring for replication abuse, and restricted access to NTDS-related data.
Analyst notes and limits

The most defensible Glexia takeaway is identity-centric resilience. The official description emphasizes social engineering, extortion, global targeting across multiple sectors, and destructive attacks without ransomware. The relationship set expands the defensive focus into credential access, valid accounts, cloud/SaaS persistence, data collection, remote services, trusted relationships, and impact techniques. Use the aliases LAPSUS$, DEV-0537, and Strawberry Tempest when normalizing threat intelligence and detection content.

ATT&CK provides no official detection text and no group-level platforms or tactics for this object. Platform and tactic guidance here is derived only from the supplied related techniques and software, so each organization must validate relevance against its own identity providers, SaaS estate, cloud services, endpoints, remote-access architecture, and logging coverage. This summary does not assert current activity, specific victim exposure, or guaranteed detection coverage.

Official MITRE ATT&CK definition

LAPSUS$

LAPSUS$ is cyber criminal threat group that has been active since at least mid-2021. LAPSUS$ specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.[1][2][3]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

43 rows
Domain ID Name Relationship / procedure
Enterprise T1589 Gather Victim Identity Information

LAPSUS$ has gathered detailed information of target employees to enhance their social engineering lures.[2]
Enterprise T1005 Data from Local System

LAPSUS$ uploaded sensitive files, information, and credentials from a targeted organization for extortion or public release.[2]
Enterprise T1069.002 Domain Groups Sub-technique

LAPSUS$ has used the AD Explorer tool to enumerate groups on a victim's network.[2]
Enterprise T1213.001 Confluence Sub-technique

LAPSUS$ has searched a victim's network for collaboration platforms like Confluence and JIRA to discover further high-privilege account credentials.[2]
Enterprise T1588.002 Tool Sub-technique

LAPSUS$ has obtained tools such as RVTools and AD Explorer for their operations.[2]CitationNCC Group LAPSUS Apr 2022
Enterprise T1485 Data Destruction

LAPSUS$ has deleted the target's systems and resources both on-premises and in the cloud.[2]CitationNCC Group LAPSUS Apr 2022
Enterprise T1213.003 Code Repositories Sub-technique

LAPSUS$ has searched a victim's network for code repositories like GitLab and GitHub to discover further high-privilege account credentials.[2]CitationNCC Group LAPSUS Apr 2022
Enterprise T1213.002 Sharepoint Sub-technique

LAPSUS$ has searched a victim's network for collaboration platforms like SharePoint to discover further high-privilege account credentials.[2]CitationNCC Group LAPSUS Apr 2022
Enterprise T1583.003 Virtual Private Server Sub-technique

LAPSUS$ has used VPS hosting providers for infrastructure.[2]
Enterprise T1591.004 Identify Roles Sub-technique

LAPSUS$ has gathered detailed knowledge of team structures within a target organization.[2]
Enterprise T1090 Proxy

LAPSUS$ has leverage NordVPN for its egress points when targeting intended victims.[2]
Enterprise T1087.002 Domain Account Sub-technique

LAPSUS$ has used the AD Explorer tool to enumerate users on a victim's network.[2]CitationNCC Group LAPSUS Apr 2022
Enterprise T1133 External Remote Services

LAPSUS$ has gained access to internet-facing systems and applications, including virtual private network (VPN), remote desktop protocol (RDP), and virtual desktop infrastructure (VDI) including Citrix. [2]CitationNCC Group LAPSUS Apr 2022
Enterprise T1078 Valid Accounts

LAPSUS$ has used compromised credentials and/or session tokens to gain access into a victim's VPN, VDI, RDP, and IAMs.[2]CitationNCC Group LAPSUS Apr 2022
Enterprise T1588.001 Malware Sub-technique

LAPSUS$ acquired and used the Redline password stealer in their operations.[2]
Enterprise T1598.004 Spearphishing Voice Sub-technique

LAPSUS$ has called victims' help desk to convince the support personnel to reset a privileged account’s credentials.[2]
Enterprise T1204 User Execution

LAPSUS$ has recruited target organization employees or contractors who provide credentials and approve an associated MFA prompt, or install remote management software onto a corporate workstation, allowing LAPSUS$ to take control of an authenticated system.[2]
Enterprise T1552.008 Chat Messages Sub-technique

LAPSUS$ has targeted various collaboration tools like Slack, Teams, JIRA, Confluence, and others to hunt for exposed credentials to support privilege escalation and lateral movement.[2]
Enterprise T1489 Service Stop

LAPSUS$ has shut down virtual machines from within a victim's on-premise VMware ESXi infrastructure.CitationNCC Group LAPSUS Apr 2022
Enterprise T1593.003 Code Repositories Sub-technique

LAPSUS$ has searched public code repositories for exposed credentials.[2]
Enterprise T1136.003 Cloud Account Sub-technique

LAPSUS$ has created global admin accounts in the targeted organization's cloud instances to gain persistence.[2]
Enterprise T1114.003 Email Forwarding Rule Sub-technique

LAPSUS$ has set an Office 365 tenant level mail transport rule to send all mail in and out of the targeted organization to the newly created account.[2]
Enterprise T1591.002 Business Relationships Sub-technique

LAPSUS$ has gathered detailed knowledge of an organization's supply chain relationships.[2]
Enterprise T1578.003 Delete Cloud Instance Sub-technique

LAPSUS$ has deleted the target's systems and resources in the cloud to trigger the organization's incident and crisis response process.[2]
Enterprise T1555.003 Credentials from Web Browsers Sub-technique

LAPSUS$ has obtained passwords and session tokens with the use of the Redline password stealer.[2]
Enterprise T1531 Account Access Removal

LAPSUS$ has removed a targeted organization's global admin accounts to lock the organization out of all access.[2]
Enterprise T1589.001 Credentials Sub-technique

LAPSUS$ has gathered user identities and credentials to gain initial access to a victim's organization; the group has also called an organization's help desk to reset a target's credentials.[2]CitationNCC Group LAPSUS Apr 2022
Enterprise T1068 Exploitation for Privilege Escalation

LAPSUS$ has exploited unpatched vulnerabilities on internally accessible servers including JIRA, GitLab, and Confluence for privilege escalation.[2]
Enterprise T1621 Multi-Factor Authentication Request Generation

LAPSUS$ has spammed target users with MFA prompts in the hope that the legitimate user will grant necessary approval.[2]
Enterprise T1098.003 Additional Cloud Roles Sub-technique

LAPSUS$ has added the global admin role to accounts they have created in the targeted organization's cloud instances.[2]
Enterprise T1003.006 DCSync Sub-technique

LAPSUS$ has used DCSync attacks to gather credentials for privilege escalation routines.[2]
Enterprise T1586.002 Email Accounts Sub-technique

LAPSUS$ has payed employees, suppliers, and business partners of target organizations for credentials.[2]CitationNCC Group LAPSUS Apr 2022
Enterprise T1213.005 Messaging Applications Sub-technique

LAPSUS$ has searched a victim's network for organization collaboration channels like MS Teams or Slack to discover further high-privilege account credentials.[2]
Enterprise T1589.002 Email Addresses Sub-technique

LAPSUS$ has gathered employee email addresses, including personal accounts, for social engineering and initial access efforts.[2]
Enterprise T1584.002 DNS Server Sub-technique

LAPSUS$ has reconfigured a victim's DNS records to actor-controlled domains and websites.CitationNCC Group LAPSUS Apr 2022
Enterprise T1684.001 Impersonation Sub-technique

LAPSUS$ has called victims' help desk and impersonated legitimate users with previously gathered information in order to gain access to privileged accounts.[2]
Enterprise T1003.003 NTDS Sub-technique

LAPSUS$ has used Windows built-in tool `ntdsutil` to extract the Active Directory (AD) database.[2]
Enterprise T1555.005 Password Managers Sub-technique

LAPSUS$ has accessed local password managers and databases to obtain further credentials from a compromised network.CitationNCC Group LAPSUS Apr 2022
Enterprise T1199 Trusted Relationship

LAPSUS$ has accessed internet-facing identity providers such as Azure Active Directory and Okta to target specific organizations.[2]
Enterprise T1597.002 Purchase Technical Data Sub-technique

LAPSUS$ has purchased credentials and session tokens from criminal underground forums.[2]
Enterprise T1578.002 Create Cloud Instance Sub-technique

LAPSUS$ has created new virtual machines within the target's cloud environment after leveraging credential access to cloud assets.[2]
Enterprise T1078.004 Cloud Accounts Sub-technique

LAPSUS$ has used compromised credentials to access cloud assets within a target organization.[2]
Enterprise T1111 Multi-Factor Authentication Interception

LAPSUS$ has replayed stolen session token and passwords to trigger simple-approval MFA prompts in hope of the legitimate user will grant necessary approval.[2]
Associated objects

Groups, software, and campaigns

Tool Enterprise

S0002: Mimikatz

Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. [1] [2]

Windows
Relationship explorer

All related ATT&CK context

uses · Technique T1589: Gather Victim Identity Information Enterprise uses · Technique T1005: Data from Local System Enterprise uses · Technique T1069.002: Domain Groups Enterprise uses · Technique T1213.001: Confluence Enterprise uses · Technique T1588.002: Tool Enterprise uses · Technique T1485: Data Destruction Enterprise uses · Technique T1213.003: Code Repositories Enterprise uses · Technique T1213.002: Sharepoint Enterprise uses · Technique T1583.003: Virtual Private Server Enterprise uses · Technique T1591.004: Identify Roles Enterprise uses · Technique T1090: Proxy Enterprise uses · Technique T1087.002: Domain Account Enterprise uses · Technique T1133: External Remote Services Enterprise uses · Technique T1078: Valid Accounts Enterprise uses · Technique T1588.001: Malware Enterprise uses · Technique T1598.004: Spearphishing Voice Enterprise uses · Technique T1204: User Execution Enterprise uses · Technique T1552.008: Chat Messages Enterprise uses · Technique T1489: Service Stop Enterprise uses · Technique T1593.003: Code Repositories Enterprise uses · Technique T1136.003: Cloud Account Enterprise uses · Technique T1114.003: Email Forwarding Rule Enterprise uses · Technique T1591.002: Business Relationships Enterprise uses · Tool S0002: Mimikatz Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.1
Created
Modified
Raw hash
9885c79538811205...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.1 Current bundle 9885c7953881…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    BBC LAPSUS Apr 2022

    BBC. (2022, April 1). LAPSUS: Two UK Teenagers Charged with Hacking for Gang. Retrieved June 9, 2022.

    Open source URL
  2. [2]
    MSTIC DEV-0537 Mar 2022

    MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022.

    Open source URL
  3. [3]
    UNIT 42 LAPSUS Mar 2022

    UNIT 42. (2022, March 24). Threat Brief: Lapsus$ Group. Retrieved May 17, 2022.

    Open source URL
  4. [4]
    DEV-0537

    (Citation: MSTIC DEV-0537 Mar 2022)

  5. [5]
    Microsoft Threat Actor Naming July 2023

    Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.

    Open source URL
  6. [6]
    Strawberry Tempest

    (Citation: Microsoft Threat Actor Naming July 2023)

  7. [7]
    mitre-attack G1004
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use