LAPSUS$
G10043 reportsaliases · LAPSUS$ · DEV-0537 · Strawberry Tempest
3
Reports
8
Techniques
8
Tactics
3
Countries
62%
Hunt coverage
3
Aliases
Analyst assessment — key judgments
- Signature techniques: T1588.006 (Vulnerabilities), T1589.001 (Credentials), T1684.001 (Impersonation).
- Primary targeting: KR, US, DE.
- Resurgent after a quiet period: 2 report(s) in last 30d vs 0 prior (+100%).
- Recent movement: 5 new technique(s), 7 new infrastructure indicator(s) in the last 30 days.
- Hunt coverage 62% of 8 observed techniques (3 gap(s)).
- Assessment confidence: medium (61).
Activity & trend
ResurgentLast 30d: 2 vs 0 prior (+100%)· first reported 2026-04-15 · last 2026-06-24
0
7d
2
30d
2
90d
3
All
0.2
Rpts/wk
Reporting timeline · 12 months
Movement — last 30 days
New techniques
T1684.001AML.T0073T1195T1552.004T1098.001Dropped (90d+)
T1657Targeting gained
KRUSNew infrastructure
https://devops.com/github-takes-down-73-https://openssf.org/projects/slsa/https://whiteintel.io/blog/red-hat-miasmhttps://arstechnica.com/security/2026/03https://spycloud.com/resource/report/spyhttps://cybersecuritynews.com/binding-gyhttps://connect.tenable.com/category/newOverview
Analyst triage
Intelligence summary
LAPSUS$ is cyber criminal threat group that has been active since at least mid-2021. LAPSUS$ specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.(Citation: BBC LAPSUS Apr 2022)(Citation: MSTIC DEV-0537 Mar 2022)(Citation: UNIT 42 LAPSUS Mar 2022)
Top co-occurring indicators
Aliases & naming
Targeting · countries
Targeting · named victims
ATT&CK technique matrix
Coverage vs hunt library:
—
Hunt-coverage gaps — prioritized
Top techniques by observation
- T1588.006 · Vulnerabilitiesconf 652
- T1589.001 · Credentialsconf 652
- T1684.001 · Impersonationconf 601
- AML.T0073 · Impersonationconf 601
- T1657 · Financial Theftconf 601
- T1195 · Supply Chain Compromiseconf 601
- T1552.004 · Private Keysconf 601
- T1098.001 · Additional Cloud Credentialsconf 601
Threat catalogue · engineering roadmap
Flagged detection-engineering queue
Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.
Infrastructure
IOC type mix
Tooling / malware families
Relationships
Activity
30-day mention timeline
Recent reporting
| Title | Source | Severity | Collected |
|---|