Listen to this Post
Introduction:
The reappearance of a clearnet domain linked to the notorious LAPSUS$ threat group—lapsus[.]bz—serves as a critical indicator that even disrupted cybercriminal brands can resurface with new infrastructure. For defenders, tracking such domain registrations, DNS changes, and associated IOCs (Indicators of Compromise) provides early warning of potential extortion campaigns, data leaks, or recruitment drives. This article translates raw threat intelligence into actionable monitoring, hunting, and hardening procedures across Linux, Windows, and cloud environments.
Learning Objectives:
- Deploy OSINT techniques and command-line tools to investigate newly registered domains tied to known threat actors.
- Implement detection rules and threat-hunting queries for LAPSUS$-like TTPs (Tactics, Techniques, and Procedures), including SIM-swapping, MFA fatigue, and source-code theft.
- Harden identity infrastructure against credential theft and social engineering using MFA policies, conditional access, and user behavior analytics.
You Should Know:
1. Enumerate and Validate New Threat Actor Domains
Start by gathering passive DNS and WHOIS data for lapsus[.]bz. Avoid direct browsing; use sandboxed or threat intel platforms.
Linux commands:
Defanged domain: lapsus[.]bz -> real: lapsus.bz (do NOT browse directly) whois lapsus.bz | grep -E "Creation Date|Registrar|Name Server" dig lapsus.bz A +short dig lapsus.bz TXT +short nslookup lapsus.bz 8.8.8.8
Windows (PowerShell):
Resolve-DnsName lapsus.bz -Type A Resolve-DnsName lapsus.bz -Type TXT whois lapsus.bz | Select-String "Creation Date"
Step‑by‑step:
- Use `whois` to identify registration date, registrar, and redacted contacts. Recent creation (within days/weeks) suggests operational readiness.
- Query multiple DNS record types (A, AAAA, MX, TXT, NS) to map associated IPs and subdomains.
- Cross-reference IPs with VirusTotal, AlienVault OTX, or MISP to check for prior malicious activity.
- Archive the domain’s homepage using `wget –spider` or `curl -I` to capture HTTP response headers (e.g., server, X-Powered-By) without full retrieval.
2. Extract and Operationalize IOCs for SIEM/SOAR
Convert raw infrastructure (domains, IPs, SSL cert hashes) into detection logic. LAPSUS$ previously used Telegram, Discord, and clearnet leak sites.
Example IOC extraction (Linux):
echo "lapsus.bz" | hakrevdns -r 5.0.0.0/8 find co-hosted domains (requires hakrevdns) openssl s_client -connect lapsus.bz:443 -servername lapsus.bz 2>/dev/null | openssl x509 -1oout -fingerprint -sha256
Create Sigma rule snippet for suspicious domain access:
title: LAPSUS-Style Clearnet Domain Access logsource: product: windows category: dns_query detection: selection: query|contains: 'lapsus.bz' condition: selection
Step‑by‑step:
- Collect SHA256 fingerprints of SSL certificates used by the domain; these persist even if IPs change.
- Use passive DNS databases (CIRCL, RiskIQ) to find historical IPs and related domains.
- Push IOCs as threat intelligence feeds into Microsoft Sentinel, Splunk, or ELK using STIX/TAXII.
- Create automated alerts for any internal DNS query to lapsus[.]bz or its resolved IP range.
3. Hunt for LAPSUS$ TTPs Using EDR Logs
LAPSUS$ is known for credential dumping (Mimikatz, LSASS), Azure AD reconnaissance, and abusing valid accounts. Hunt for these patterns.
KQL (Microsoft 365 Defender) hunting query:
DeviceProcessEvents | where ProcessCommandLine contains "sekurlsa::logonpasswords" or ProcessCommandLine contains "mimikatz" | project Timestamp, DeviceName, AccountName, ProcessCommandLine
Linux auditd rule for suspicious /etc/shadow reads:
auditctl -w /etc/shadow -p r -k shadow_access ausearch -k shadow_access -ts recent
Step‑by‑step:
- Search for unusual Azure CLI or PowerShell `Get-AzAccessToken` commands indicating token theft.
- Monitor for `net user /domain` or `bloodhound` execution – LAPSUS$ used AD enumeration.
- Look for `procdump` or `comsvcs.dll` minidump creation to extract LSASS memory.
- Enable Process Commandline logging via Group Policy (Windows) or audit logs (Linux) to catch inline attackers.
4. Harden MFA and Identity Against Fatigue Attacks
LAPSUS$ exploited MFA fatigue (spamming push notifications) and SIM-swapping. Implement number matching and token protection.
Azure AD Conditional Access policy (PowerShell):
New-AzureADMSConditionalAccessPolicy -DisplayName "Block MFA Fatigue" -State "enabled" -Conditions $conditions -GrantControls @{
BuiltInControls = "mfa"
AuthenticationStrength = @{ DisplayName = "Number matching" }
}
Linux PAM with MFA (Google Authenticator):
sudo apt install libpam-google-authenticator google-authenticator -t -d -f -r 3 -R 30 -w 3 echo "auth required pam_google_authenticator.so" >> /etc/pam.d/sshd
Step‑by‑step:
- Require number matching in all MFA push apps (Microsoft Authenticator, Duo, Okta).
- Enroll all privileged accounts in FIDO2 security keys or certificate-based authentication.
- Implement risk-based sign-in policies: block logins from TOR exit nodes or high-risk countries (unless required).
- Regularly audit Azure AD sign-in logs for repeated “Approved” MFA requests from the same user in short windows.
5. Simulate Red Team Activity (OpenPwned-style)
LAPSUS$ often used open-source tools and simple social engineering. Use the author’s “OpenPwned” mindset (GitHub: Vyankatesh Shinde/OpenPwned) to test your defenses.
Deploy a safe phishing simulation (GoPhish on Linux):
wget https://github.com/gophish/gophish/releases/download/v0.12.1/gophish-v0.12.1-linux-64bit.zip unzip gophish-.zip && cd gophish-v0.12.1-linux-64bit sudo ./gophish Access UI at https://127.0.0.1:3333
Simulate MFA push bombing (custom Python snippet):
import requests
Assuming a valid session token, repeatedly trigger MFA push (for authorized testing)
for _ in range(50):
requests.post("https://login.microsoftonline.com/common/oauth2/devicecode", data={"client_id": "your_app_id"})
Step‑by‑step:
- Create a controlled lab environment mirroring your production identity stack.
- Attempt to reset user passwords using social engineering (with permission) to gauge training effectiveness.
- Deploy a rogue Wi-Fi access point (airbase-1g) and harvest NetNTLMv2 hashes for offline cracking.
- Simulate SIM-swapping by coordinating with mobile carrier testing accounts (requires carrier cooperation).
6. Configure Threat Intelligence Feed Automation
Automatically ingest new domains and IPs associated with LAPSUS$ or similar groups.
Using MISP + PyMISP to pull intel:
from pymisp import PyMISP
misp = PyMISP("https://your-misp/", "API_KEY", ssl=False)
result = misp.search(controller='attributes', type_attr='domain', value='lapsus.bz', pythonify=True)
for attr in result:
print(attr.value, attr.to_ids)
Cron job to monitor new .bz domain registrations (Linux):
Install dnstwist or use whois-history API 0 /6 /usr/bin/whois -H .bz | grep "Domain Name:" | tee -a /var/log/bz_domains.log
Step‑by‑step:
- Subscribe to free feeds: AlienVault OTX pulses, FBI InfraGard, abuse.ch URLhaus.
- Use TheHive for case management when a new domain triggers an alert.
- Set up a sensor to detect DNS tunneling or DGA domains similar to patterns used by LAPSUS$ affiliates.
- Weekly review of newly registered domains containing “lapsus”, “leaked”, or “extortion” keywords.
7. Incident Response: Leak Detection and Takedown Coordination
If lapsus[.]bz posts stolen data, you need rapid detection and legal response.
Monitor data leak sites via RSS-to-SIEM (using feedparser):
import feedparser
d = feedparser.parse('https://feeds.feedburner.com/LeakedData')
for entry in d.entries:
if 'yourcompany' in entry.title.lower():
send_alert(entry.link)
Submit takedown request (whois contact abuse email):
whois lapsus.bz | grep -i "abuse" | awk '{print $NF}' | while read email; do
echo "DMCA/Trademark violation at lapsus.bz" | mail -s "Takedown Request" $email
done
Step‑by‑step:
- Establish a “canary token” (canarytokens.org) inside a fake source code repo; if accessed, it triggers an alert.
- Use Have I Been Pwned’s domain search to check if employee credentials appear on paste sites.
- Coordinate with domain registrar (e.g., NameCheap, GoDaddy) for rapid suspension if malicious content is confirmed.
- After incident, update blocklists in your firewall (pfSense:
pfctl -t bruteforce -T add <IP>).
What Undercode Say:
- Key Takeaway 1: The lapsus[.]bz domain is a clear signal that cybercriminal brands persist through infrastructure churn. Defenders must treat every new domain as a potential kill-chain precursor, not just a passive artifact.
- Key Takeaway 2: LAPSUS$ tactics rely heavily on identity weaknesses (MFA fatigue, social engineering) and publicly available tools. Technical controls alone fail without continuous user training and risk-based authentication.
Analysis: The LAPSUS$ group (allegedly behind breaches of Microsoft, Okta, and NVIDIA) demonstrates that even unsophisticated techniques—password reuse, session token theft, Telegram-based coordination—can bypass traditional perimeter defenses. The emergence of lapsus[.]bz could signal a reboot, copycat activity, or brand trolling. Regardless, security teams gain value by using this IOC to revisit their identity hygiene: auditing service accounts, enforcing phishing-resistant MFA, and monitoring for anomalous Azure AD sign-ins. Red teams should emulate the group’s speed over stealth, focusing on credential dumping and SIM-swap simulations. Blue teams must prioritize telemetry from cloud authentication logs (Azure AD, AWS CloudTrail) and end-user reporting of suspicious push notifications. Ultimately, the domain itself is less dangerous than the behavioral blind spots it exploits.
Expected Output:
- Introduction: [Already provided above]
- What Undercode Say: [Already provided above]
- Prediction:
-1 LAPSUS$ or imitators will increasingly abandon clearnet leak sites in favor of ephemeral Telegram channels and Obsidian portals, making takedowns harder and intelligence lag times longer.
-P However, the repeated use of branded domains enables defenders to preemptively hunt and automate blocking, turning adversary brand persistence into a detection advantage.
+1 Cloud providers and MFA vendors will accelerate mandatory number matching and FIDO2 adoption by late 2026, reducing MFA fatigue attacks by an estimated 70% for enterprise tenants.
▶️ Related Video (80% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Vyankatesh Shinde – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
