Threat Actor Profile: LAPSUS$ (a.k.a. Microsoft “DEV-0537” / “Strawberry Tempest”)

1. Executive Summary

LAPSUS$ is an extortion-focused cybercriminal collective best known for high-tempo intrusions against large enterprises and service providers, frequently leveraging social engineering and identity compromise rather than exploiting bespoke malware or deploying ransomware. Microsoft publicly tracked the group as DEV-0537 (later renamed Strawberry Tempest) and assessed its operations as an “extortion and destruction” model that may include destructive actions after data theft. (Microsoft)
Unlike many financially motivated groups, LAPSUS$ has historically sought public notoriety, openly posting claims and stolen material, and even advertising for insider access. (Microsoft)
Law-enforcement and court outcomes in the UK indicate that at least some participants were teenagers, reinforcing the broader industry assessment that LAPSUS$ represented a loose, youth-heavy ecosystem of “identity-first” attackers rather than a traditional, hierarchical ransomware gang. (cityoflondon.police.uk)

2. Contextual Background

2.1 Nature of the threat

Operating model

Primary business model: data theft + extortion, sometimes paired with destructive disruption (e.g., deleting systems/resources) rather than encrypting with ransomware. (Microsoft)
Access model: identity compromise at scale via helpdesk/social engineering, MFA fatigue, SIM swapping, session token replay, and recruiting/paying insiders (employees, suppliers, contractors) for credentials or MFA approval. (Microsoft)
Supply-chain leverage: opportunistic abuse of trusted access paths (outsourced support, third parties, IT/service providers) to move laterally across partner relationships. (Microsoft)

2.2 Threat-actor attribution

Attribution status: Confirmed (high confidence)

Microsoft explicitly attributed observed activity to DEV-0537, “also known as LAPSUS$,” later mapped to Strawberry Tempest under its revised naming taxonomy. (Microsoft)

Law-enforcement / judicial context (UK)

UK proceedings identified individuals associated with the LAPSUS$ hacking spree, including Arion Kurtaj, who received an indefinite hospital order under the UK Mental Health Act following conviction findings. (cityoflondon.police.uk)

Note: Public reporting sometimes conflates LAPSUS$ with adjacent “social-engineering-first” clusters. This profile avoids unverified organisational-link claims and focuses on behaviours directly described in reputable primary reporting.

2.3 Sector and geographic targeting

Microsoft reported early focus on the UK and South America, followed by expansion to global targets across government, technology, telecoms, media, retail, and healthcare, among others. (Microsoft)
Victim selection historically appears opportunistic and identity-driven: organisations with large support footprints, broad contractor ecosystems, and high-value SaaS/IdP dependencies are particularly exposed to LAPSUS$-style tradecraft. (Microsoft)

3. Technical Analysis

3.1 TTPs and MITRE ATT&CK mapping

Below are techniques explicitly described by Microsoft and corroborated by vendor incident narratives where applicable.

Identity & social engineering

Helpdesk and phone-based social engineering to reset credentials and bypass controls: T1598 (Phishing for Information) / T1566 (Phishing) (Microsoft describes phone/social engineering of help desks and recovery prompts) (Microsoft)
MFA prompt spamming / “push fatigue”: T1621 (Multi-Factor Authentication Request Generation) (Microsoft)
SIM swapping to intercept telephony-based authentication: T1650 (Acquire Access) (used here as “acquire phone-number control” enabling account takeover; Microsoft explicitly cites SIM-swapping for access to authentication prompts) (Microsoft)
Credential acquisition via malware and underground markets: T1555 (Credentials from Password Stores) / T1589 (Gather Victim Identity Information) / T1567 (Exfiltration to Cloud Storage) (Microsoft cites Redline stealer, buying credentials/tokens, and searching public repos for secrets) (Microsoft)

Initial access & persistence

Use of remote access tooling installed by insiders/victims (e.g., AnyDesk): T1219 (Remote Access Software) (Microsoft)
Access to VPN/RDP/VDI and identity providers (Azure AD, Okta): T1133 (External Remote Services) (Microsoft)
Session token replay to satisfy MFA: T1528 (Steal Application Access Token) (Microsoft)

Privilege escalation & discovery

Enumeration of AD users/groups using AD Explorer: T1087 (Account Discovery) (Microsoft)
Credential dumping and domain escalation (e.g., Mimikatz / DCSync): T1003 (OS Credential Dumping) / T1003/006 (DCSync) (Microsoft)
Searching internal platforms for secrets (SharePoint/Confluence/Jira/Git): T1552 (Unsecured Credentials) (Microsoft)

Exfiltration, impact, and extortion

Data theft for extortion/public leak: T1020 (Automated Exfiltration) / T1567 (Exfiltration to Cloud Storage) (Microsoft)
Cloud tenant takeover patterns (creation of global admin, mail flow rules, lockout of admins): T1098 (Account Manipulation) / T1114 (Email Collection) (Microsoft)
Destructive actions (deleting resources on-prem/cloud): T1485 (Data Destruction) / T1490 (Inhibit System Recovery) (Microsoft)
Monitoring incident response comms / joining “war rooms” and bridges: T1562 (Impair Defences) *(operationally: undermining response) and T1087 (Discovery) (Microsoft explicitly describes joining crisis calls to gain insight and apply pressure) (Microsoft)

3.2 Exploitation status and public case studies

LAPSUS$ is primarily associated with identity-led intrusions rather than a single “signature” CVE. Publicly documented incidents include:

Okta / third-party support engineer compromise (January 2022; disclosed March 2022): Okta states the incident involved a third-party support engineer account and that Okta service itself was not breached; Okta later published a detailed incident timeline. (okta.com)
Microsoft source code leak claims (March 2022): Microsoft confirmed a compromise of a single account with limited access and stated no customer code/data was involved. (Microsoft)
NVIDIA incident (February 2022 discovered; March 2022 disclosure): NVIDIA published a security notice on the incident; Reuters also reported on leaked employee/company information following the cyberattack. (nvidia.custhelp.com)

4. Impact Assessment

4.1 Severity and scope

Why defenders treat LAPSUS$ as high impact despite “simple” tradecraft

The group’s consistent advantage has been speed and leverage: compromising identities, escalating privileges rapidly, and pressuring victims via public exposure and disruption rather than negotiating around decryptors. (Microsoft)
Organisations with centralised identity platforms (IdPs), large helpdesks, or extensive third-party support relationships can face outsized blast radius due to credential reset and admin tooling pathways. (Microsoft)

4.2 Victim profile

Observed victimology (from Microsoft and incident disclosures) is broad: technology firms, telecoms, government, retail, healthcare, and service providers where compromise enables downstream access. (Microsoft)

5. Indicators of Compromise (IOCs)

5.1 IOC table

Public reporting on LAPSUS$ is rich in TTPs but comparatively sparse in durable, high-fidelity IOCs (domains/IPs/hashes) that remain valid over time. Microsoft also notes the actor’s “TTPs and infrastructure are constantly changing,” limiting the shelf life of static indicators. (Microsoft)

Type	Value	Context / Notes	Source
Malware family	RedLine Stealer	Microsoft observed use of RedLine to obtain passwords/session tokens	Microsoft analysis of DEV-0537/LAPSUS$
Remote access tooling	AnyDesk (and similar)	Used via insider/victim-installed remote management software for interactive access	Microsoft analysis of DEV-0537/LAPSUS$
Technique pattern	MFA push fatigue	Repeated prompts to induce user approval	Microsoft analysis of DEV-0537/LAPSUS$

If you want, I can also provide a separate “hunting package” of behavioural IOCs (log patterns, correlation rules, and example queries) tailored to Azure AD / Okta / VPN, but I’ve avoided inventing environment-specific values here.

5.2 Detection guidance (behavioural)

Prioritise detections that align to LAPSUS$’s identity-first playbook:

MFA anomaly detection: alert on spikes in MFA pushes and repeated denied prompts (map to T1621). (Microsoft)
Suspicious helpdesk resets / enrolments: rapid credential resets + new MFA factor registration followed quickly by privileged actions. (Microsoft)
Token replay / impossible travel / new device enrolment: token-based sign-ins from VPS/VPN infrastructure and newly registered devices joining cloud tenants. (Microsoft)
Remote access tooling execution: AnyDesk (or equivalents) installed/executed on corporate endpoints outside approved software channels (map to T1219). (Microsoft)
Cloud control-plane manipulation: creation of new global admins, tenant-wide mail routing rules, removal of other admins (map to T1098 and T1114). (Microsoft)

6. Incident Response Guidance

6.1 Containment, eradication, recovery (LAPSUS$-style)

Assume identity compromise first. Rapidly revoke sessions/tokens, reset passwords, and rotate secrets; prioritise privileged accounts and helpdesk/admin roles. (Microsoft)
Lock down support pathways: tighten helpdesk verification, require stronger identity proofing for resets, and reduce who can reset MFA factors. (Microsoft)
Move away from telephony-based MFA where feasible (SIM swapping risk); prefer phishing-resistant MFA (FIDO2/WebAuthn). (Microsoft)
Harden cloud tenants: review global admin assignments, conditional access, mailbox transport rules, and audit logs for control-plane abuse. (Microsoft)
Prepare for disruptive actions: ensure immutable backups and test restoration, especially where attackers may delete resources. (Microsoft)

6.2 Forensic artefacts to preserve

IdP logs (Azure AD / Okta): sign-ins, token events, MFA prompts, factor enrolment, admin role changes. (Microsoft)
Helpdesk/service desk logs: password resets, MFA resets, call recordings (where lawful), ticket metadata. (Microsoft)
Endpoint telemetry: execution/install of remote access tools, credential dumping attempts, access to browser credential stores. (Microsoft)
Cloud audit logs: new VM creation inside tenant, admin creation/removal, mail routing rules. (Microsoft)

6.3 Lessons learned

LAPSUS$ repeatedly demonstrated that enterprise-grade tooling collapses when the attacker can reliably coerce people and processes (helpdesks, contractors, MFA UX) into granting access.

7. Threat Intelligence Contextualisation

7.1 Comparison to similar incidents

LAPSUS$ sits in a broader shift toward identity-centric intrusion sets: rather than burning complex exploits, attackers monetise credential theft, social engineering, and third-party access to move quickly and noisily. Microsoft’s write-up is a strong representative description of this trend. (Microsoft)

7.2 MITRE ATT&CK lifecycle mapping (observed behaviours)

Tactic	Technique ID	Technique Name	Observed Behaviour
Reconnaissance	T1589	Gather Victim Identity Information	Collecting employee/team/helpdesk workflow info to support social engineering (Microsoft)
Initial Access	T1566	Phishing	Credential acquisition paths described alongside identity compromise methods (Microsoft)
Initial Access	T1133	External Remote Services	Access via VPN/RDP/VDI and identity providers (Microsoft)
Credential Access	T1528	Steal Application Access Token	Session token theft/replay to bypass MFA (Microsoft)
Credential Access	T1555	Credentials from Password Stores	Use of credential stealer malware (e.g., RedLine) (Microsoft)
Defence Evasion / MFA Bypass	T1621	MFA Request Generation	MFA fatigue / push spamming until approval (Microsoft)
Discovery	T1087	Account Discovery	AD enumeration (e.g., AD Explorer) (Microsoft)
Privilege Escalation	T1003	OS Credential Dumping	Mimikatz and credential dumping routines (Microsoft)
Privilege Escalation	T1003/006	DCSync	DCSync observed for domain escalation (Microsoft)
Collection	T1114	Email Collection	Tenant-level mail rule abuse to capture mail flows (Microsoft)
Exfiltration	T1020	Automated Exfiltration	Exfiltration of sensitive data for extortion/leaks (Microsoft)
Impact	T1485	Data Destruction	Deleting resources on-prem/cloud after exfiltration (Microsoft)

8. Mitigation Recommendations

8.1 Hardening priorities (highest ROI against LAPSUS$ tradecraft)

Phishing-resistant MFA for privileged users and helpdesk/service roles; reduce reliance on SMS/voice MFA (SIM swap exposure). (Microsoft)
Helpdesk reset controls: strong caller verification, step-up approvals, restricted ability to reset MFA/credentials, and aggressive monitoring for reset abuse. (Microsoft)
Session/token hygiene: shorten token lifetimes where feasible, enforce device compliance, and alert on token replay patterns and new device enrolments. (Microsoft)
Third-party access governance: least privilege for contractors, segmentation of support tooling, and continuous review of supplier trust paths. (Microsoft)
Incident comms OPSEC: assume threat actor may enter calls/chats; verify participants and maintain out-of-band comms plans. (Microsoft)

8.2 Patch management notes

LAPSUS$ is not defined by a single CVE cluster; patching remains essential, but identity/security-process hardening is the decisive control set for this actor profile. Microsoft did note opportunistic exploitation of internally accessible platforms (e.g., Jira/Confluence/GitLab) as part of post-access activity in some cases. (Microsoft)

9. Historical Context & Related Vulnerabilities

Rather than recurring “signature CVEs,” LAPSUS$ historically recycled a repeatable identity attack playbook: obtain credentials/tokens, coerce MFA/helpdesk, escalate quickly, exfiltrate, then extort and sometimes destroy. (Microsoft)
Public case studies that illustrate this pattern include Okta’s third-party support incident timeline and Microsoft’s DEV-0537 analysis. (okta.com)

10. Future Outlook

Although LAPSUS$’s peak public activity was concentrated in 2021–2022, the techniques it popularised (MFA fatigue, SIM swapping, helpdesk coercion, insider recruitment) remain highly reproducible and are now common in multiple criminal ecosystems. Microsoft’s warning that infrastructure and TTPs “constantly change” is a useful operational framing: defenders should treat “LAPSUS$” as both a group name and a durable intrusion style. (Microsoft)