THREATOPS Actor Dossier
LIVE ← Dashboard

LAPSUS$

G10043 reports
aliases · LAPSUS$ · DEV-0537 · Strawberry Tempest
Export dossier:
3
Reports
8
Techniques
8
Tactics
3
Countries
62%
Hunt coverage
3
Aliases

Analyst assessment — key judgments

  • Signature techniques: T1588.006 (Vulnerabilities), T1589.001 (Credentials), T1684.001 (Impersonation).
  • Primary targeting: KR, US, DE.
  • Resurgent after a quiet period: 2 report(s) in last 30d vs 0 prior (+100%).
  • Recent movement: 5 new technique(s), 7 new infrastructure indicator(s) in the last 30 days.
  • Hunt coverage 62% of 8 observed techniques (3 gap(s)).
  • Assessment confidence: medium (61).

Activity & trend

ResurgentLast 30d: 2 vs 0 prior (+100%)· first reported 2026-04-15 · last 2026-06-24
0
7d
2
30d
2
90d
3
All
0.2
Rpts/wk
Reporting timeline · 12 months

Movement — last 30 days

New techniques
T1684.001AML.T0073T1195T1552.004T1098.001
Dropped (90d+)
T1657
Targeting gained
KRUS
New infrastructure
https://devops.com/github-takes-down-73-https://openssf.org/projects/slsa/https://whiteintel.io/blog/red-hat-miasmhttps://arstechnica.com/security/2026/03https://spycloud.com/resource/report/spyhttps://cybersecuritynews.com/binding-gyhttps://connect.tenable.com/category/new

Overview

Analyst triage
Intelligence summary

LAPSUS$ is cyber criminal threat group that has been active since at least mid-2021. LAPSUS$ specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.(Citation: BBC LAPSUS Apr 2022)(Citation: MSTIC DEV-0537 Mar 2022)(Citation: UNIT 42 LAPSUS Mar 2022)

Top co-occurring indicators
    Aliases & naming
      Targeting · countries
        Targeting · named victims

          ATT&CK technique matrix

          Coverage vs hunt library:
          Hunt-coverage gaps — prioritized

            Top techniques by observation

            Threat catalogue · engineering roadmap0

            Flagged detection-engineering queue

            Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.

              No techniques queued yet — flag a gap above to add it here.

              Infrastructure

              IOC type mix
              Tooling / malware families
                Tracked infrastructure

                Relationships

                Related actors (behavioral cluster)
                  Attributed malware
                  Campaigns
                  No behavioral cluster, attributed malware, or campaigns recorded for this actor yet.

                  Activity

                  30-day mention timeline
                  Recent reporting
                  TitleSourceSeverityCollected