{"id":15407,"date":"2026-01-05T12:02:07","date_gmt":"2026-01-05T12:02:07","guid":{"rendered":"https:\/\/newestek.com\/?p=15407"},"modified":"2026-01-05T12:02:07","modified_gmt":"2026-01-05T12:02:07","slug":"cybersecurity-firm-turns-tables-on-threat-actors-with-decoy-data-trap","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15407","title":{"rendered":"Cybersecurity firm turns tables on threat actors with decoy data trap"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>Cybersecurity firm Resecurity says it deliberately lured threat actors linked to Scattered Lapsus$ Hunters (<a href=\"https:\/\/www.csoonline.com\/article\/4072244\/scattered-lapsus-hunters-extortion-site-goes-dark-whats-next.html\" target=\"_blank\">SLH<\/a>) alliance into a honeypot, after the group claimed that it had hacked the company and stolen internal and client data.<\/p>\n<p>\u201cUnderstanding that the actor is conducting reconnaissance, our team has set up a honey pot account,\u201d Resecurity said in a blog post, indicating prior knowledge of threat actor probing. \u201cThis led to a successful login by the threat actor to one of the emulated applications containing synthetic data.\u201d<\/p>\n<p>The threat actors claiming to be SLH\u2019s \u201c<a href=\"https:\/\/www.csoonline.com\/article\/3621101\/aws-customers-face-massive-breach-amid-alleged-shinyhunters-regroup.html\" target=\"_blank\">ShinyHunters<\/a>\u201d initially posted screenshots and claimed that they had breached Resecurity\u2019s systems, but soon after the firm said it was a honeypot, the actual group confirmed they had no connection to the attack.<\/p>\n<p>\u201cWe would like to announce that we have gained full access to Resecurity systems,\u201d the threat actors <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/hackers-claim-resecurity-hack-firm-says-it-was-a-honeypot\/\" target=\"_blank\" rel=\"noreferrer noopener\">reportedly said<\/a> in a Telegram post. \u201cFor months, REsecurity has been trying to social engineer us and groups we know. When ShinyHunters put the Vietnam financial system database up for sale, their staff pretended to be buyers to get free samples and more info from us.\u201d<\/p>\n<p>As proof, the threat actors had attached screenshots of Resecurity employees\u2019 internal communication in a Mattermost collaboration instance.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>What Resecurity says really happened<\/h2>\n<p>According to Resecurity, its security teams observed reconnaissance activity targeting externally exposed services before the attackers made their claims public. In response, the company said it steered the activity toward a honeypot environment populated with synthetic data designed to resemble internal systems.<\/p>\n<p>The honeypot included fabricated consumer records and simulated payment data structured to appear realistic while remaining fully isolated from Resecurity\u2019s production environment. The company said this allowed the attackers to believe they had gained meaningful access, while enabling defenders to monitor activity without exposing real data.<\/p>\n<p>\u201cFor synthetic data, we used two different datasets: over 28,000 records impersonating consumers and over 190,000 records of payment transactions, and generated messages,\u201d Resecurity <a href=\"https:\/\/www.resecurity.com\/blog\/article\/synthetic-data-a-new-frontier-for-cyber-deception-and-honeypots\" target=\"_blank\" rel=\"noreferrer noopener\">said<\/a> in the post. \u201cNotably, in both cases, we utilized already known breached data available on the Dark Web and underground marketplaces\u2014potentially containing PII\u2014making the data even more realistic for threat actors.\u201d<\/p>\n<p>Resecurity added that the attackers interacted with the decoy environment over an extended period, generating automated requests that provided insight into their tooling and methods.<\/p>\n<h2 class=\"wp-block-heading\" id=\"evidence-of-real-breach-remains-thin\">Evidence of real breach remains thin<\/h2>\n<p>Despite Resecurity\u2019s detailed account, the threat actors have not backed up their original claims with additional verifiable evidence. After posting the screenshots, no substantiated leaks of internal systems or actual client data have appeared. Independent <a href=\"https:\/\/www.rescana.com\/post\/resecurity-honeypot-incident-analysis-of-scattered-lapsus-hunters-claimed-breach-and-threat-intel\" target=\"_blank\" rel=\"noreferrer noopener\">analysis<\/a> by various cybersecurity researchers supports Resecurity\u2019s assertion that no production assets were compromised.<\/p>\n<p>On the other hand, Resecurity\u2019s own analysis of the interaction patterns aligned with common threat actors\u2019 tactics. According to the company\u2019s investigation, the activity began with reconnaissance of publicly exposed systems, which matched MITRE ATT&amp;CK techniques such as Active Scanning (T1595) and Gather Victim Host Information (T1592), based on network telemetry and log data. Following the publication of the claims, a spokesperson claiming to represent ShinyHunters denied the group\u2019s involvement, saying it was not responsible for the activity Resecurity attributed to the alleged attackers.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Cybersecurity firm Resecurity says it deliberately lured threat actors linked to Scattered Lapsus$ Hunters (SLH) alliance into a honeypot, after the group claimed that it had hacked the company and stolen internal and client data. \u201cUnderstanding that the actor is conducting reconnaissance, our team has set up a honey pot account,\u201d Resecurity said in a blog post, indicating prior knowledge of threat actor probing. \u201cThis&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=15407\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15407","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15407","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15407"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15407\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15407"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15407"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15407"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}