Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to threat actors
Financially Motivated18 malware familiesExploits CVEs in the wild

LAPSUS$

Also known asDEV-0537LAPSUSLAPSUS$SLIPPY SPIDERStrawberry Tempest

LAPSUS$ is a financially motivated cybercrime and extortion actor. Provided aliases include DEV-0537, Lapsus, Slippy Spider, and Strawberry Tempest. The content describes the group using social engineering for initial access, including calling victims’ help desks and impersonating legitimate users with previously gathered information to obtain access to privileged accounts. The content also states that LAPSUS$ claimed responsibility for the cyberattack on Virta Health, listed the company on its data leak site, claimed it had stolen confidential data, and threatened public release unless ransom demands were met. Additional reporting in the content links remnants of LAPSUS$ to broader cybercriminal ecosystems alongside ShinyHunters and Scattered Spider, and describes a 2025 “Scattered LAPSUS$ Hunters (SLH)” federation combining ShinyHunters brand recognition, Scattered Spider social-engineering expertise, and LAPSUS$ aggressive tactics. The content further notes claimed collaboration or partnership references involving TeamPCP and LAPSUS$, including assessment that TeamPCP likely functioned as an initial-access supplier to monetization partners including LAPSUS$.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

45 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

13 of 15 tactics61 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
3 techniques
T1589
Gather Victim Identity Information
T1593
Search Open Websites/Domains
T1598
Phishing for Information
T1598.004×3
Spearphishing Voice
TA0042
Resource Development
2 techniques
T1583
Acquire Infrastructure
T1583.003
Virtual Private Server
T1588
Obtain Capabilities
T1588.001×2
Malware
T1588.002
Tool
TA0001
Initial Access
6 techniques
T1078×9
Valid Accounts
T1078.004×3
Cloud Accounts
T1133
External Remote Services
T1189
Drive-by Compromise
T1190×3
Exploit Public-Facing Application
T1199×2
Trusted Relationship
T1566×3
Phishing
TA0002
Execution
3 techniques
T1059
Command and Scripting Interpreter
T1204
User Execution
T1204.002
Malicious File
T1651
Cloud Administration Command
TA0003
Persistence
3 techniques
T1078×9
Valid Accounts
T1078.004×3
Cloud Accounts
T1098
Account Manipulation
T1133
External Remote Services
TA0004
Privilege Escalation
3 techniques
T1068×9
Exploitation for Privilege Escalation
T1078×9
Valid Accounts
T1078.004×3
Cloud Accounts
T1098
Account Manipulation
TA0005
Stealth
3 techniques
T1014
Rootkit
T1070
Indicator Removal
T1070.004
File Deletion
T1078×9
Valid Accounts
T1078.004×3
Cloud Accounts
TA0112
Defense Impairment
1 technique
T1553
Subvert Trust Controls
T1553.002
Code Signing
TA0006
Credential Access
6 techniques
T1003
OS Credential Dumping
T1003.006
DCSync
T1552
Unsecured Credentials
T1552.001
Credentials In Files
T1555×2
Credentials from Password Stores
T1555.003
Credentials from Web Browsers
T1557
Adversary-in-the-Middle
T1621×3
Multi-Factor Authentication Request Generation
T1649×5
Steal or Forge Authentication Certificates
TA0007
Discovery
2 techniques
T1018×2
Remote System Discovery
T1087
Account Discovery
T1087.002
Domain Account
TA0009
Collection
4 techniques
T1005×2
Data from Local System
T1114
Email Collection
T1114.003
Email Forwarding Rule
T1213×2
Data from Information Repositories
T1557
Adversary-in-the-Middle
TA0010
Exfiltration
4 techniques
T1041×6
Exfiltration Over C2 Channel
T1048×2
Exfiltration Over Alternative Protocol
T1537×3
Transfer Data to Cloud Account
T1567
Exfiltration Over Web Service
T1567.002
Exfiltration to Cloud Storage
T1567.003
Exfiltration to Text Storage Sites
TA0040
Impact
3 techniques
T1485
Data Destruction
T1486×5
Data Encrypted for Impact
T1657×3
Financial Theft
ARSENAL

Associated malware families

18 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
RedLineLAPSUS$ acquired and used the Redline password stealer in their operations.9Jun 14, 2026
MimikatzThe timeline, which was seemingly produced by security investigators at Mandiant or based on data gathered by the firm, shows that the Lapsus$ group was able to use extremely well known and widely available hacking tools, like the password-grabbing tool Mimikatz, to rampage through Sitel's systems.3May 26, 2026
Shai-HuludThe group often uses a purpose-built, self-replicating npm worm it developed called Shai-Hulud to infect GitHub projects.2Jun 17, 2026
Cobalt Strike"...offensive security tools such as Cobalt Strike, PowerSploit, Mimikatz, and Impacket..."1Mar 18, 2026
DarkGateAssociated Analytic Story DarkGate Malware1Mar 17, 2026

13 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

10 CVEs this actor has used in observed campaigns. 10 of them exploited in the wild.

CVE-2026-33634Trivy supply chain compromise via malicious release and retagged GitHub ActionsIn the wildEvidence5

BleepingComputer reported that threat actors leveraged credentials stolen through the Trivy supply chain compromise (CVE-2026-33634) to breach Cisco's internal development environment... The CISA KEV remediation deadline for CVE-2026-33634 is today, April 8, 2026... Beyond patching Trivy to v0.69.2+, trivy-action to v0.35.0, or setup-trivy to v0.2.6, organizations must also complete credential rotation.

CVE-2025-61882Unauthenticated RCE in Oracle E-Business Suite Concurrent Processing BI Publisher IntegrationIn the wildEvidence3

Researchers analyzed leaked scripts used by attackers to exploit CVE-2025-61882 on internet-facing Oracle EBS instances. The exploit uses a crafted request with a return_url to coerce the server into fetching an attacker payload (SSRF), retrieving a malicious XSL with embedded JavaScript executed via Java javax.script, leading to a reverse shell. Mandiant reports exploitation and data theft starting Aug 2025; CISA added it to KEV; Oracle provided fixes and IOCs.

CVE-2021-31207Post-auth Arbitrary File Write in Microsoft Exchange Server (ProxyShell)In the wildEvidence1

This analytic identifies potential exploitation attempts of ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and ProxyNotShell (CVE-2022-41040, CVE-2022-41082) vulnerabilities in Microsoft Exchange Server.

CVE-2021-34473ProxyShell pre-auth SSRF in Microsoft Exchange AutodiscoverIn the wildEvidence1

This analytic identifies potential exploitation attempts of ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and ProxyNotShell (CVE-2022-41040, CVE-2022-41082) vulnerabilities in Microsoft Exchange Server.

CVE-2021-34523Microsoft Exchange PowerShell Backend Elevation of Privilege (ProxyShell)In the wildEvidence1

This analytic identifies potential exploitation attempts of ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and ProxyNotShell (CVE-2022-41040, CVE-2022-41082) vulnerabilities in Microsoft Exchange Server.

5 more CVEs tied to this actor tracked in Mallory.

IOCS

Observables

13 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

13 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
thecybersecguruNews
Jun 25, 2026
ShinyHunters MSG Breach: Facial Recognition Records Leaked | The CyberSec Guru

Referenced as remnants within The Com cybercrime network linked by Mandiant to ShinyHunters.

Read more
teiss newsNews
Jun 25, 2026
teiss - News - Lapsus$ claims cyber attack on Virta Health, nearly 15,000 affected

Claimed responsibility for a cyberattack against Virta Health, alleging theft of confidential data and threatening public release unless ransom demands were met.

Read more
cysecurity newsNews
Jun 22, 2026
TeamPCP Exposes the Hidden Risks of Software Development’s Speed Culture - CySecurity News - Latest Information Security and Hacking Incidents

Referenced only as a criminal affiliate/community link associated with TeamPCP.

Read more
cyberscoopNews
Jun 18, 2026
How software development's speed obsession enabled TeamPCP’s chaos crusade | CyberScoop

Referenced only as a linked affiliate/extortion crew associated with TeamPCP.

Read more
+196 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping45

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal18

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs10

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables13

Domains, IPs, and hashes tied to this actor, refreshed continuously.