Scattered Lapsus$ Hunters could also be circling Zendesk customers for its newest extortion marketing campaign, with new phishing domains and weaponized helpdesk tickets uncovered by ReliaQuest.
Researchers say they discovered greater than 40 typosquatted and impersonation domains – names like “znedesk.com” or “vpn-zendesk.com” – designed to reflect Zendesk’s portals over the previous six months. Some host faux single sign-on (SSO) pages aimed toward harvesting credentials, whereas others are used to submit fraudulent tickets to helpdesk employees.
All share frequent registration hallmarks – the identical registrar (NiceNic), US or UK contact particulars, and Cloudflare-masked nameservers – a profile nearly an identical to that of a earlier impersonation marketing campaign concentrating on Salesforce. That similarity leads safety watchers to suspect the identical felony crew is behind each schemes: the “retired” Scattered Lapsus$ Hunters crew.
“These parts are paying homage to the current Scattered Lapsus$ Hunters marketing campaign that focused buyer relationship administration platform Salesforce in August 2025,” ReliaQuest’s risk researchers stated in a weblog publish this week.
That is greater than phishing noise. In response to ReliaQuest, the attackers look like chaining help interface impersonation with focused intrusions, submitting malicious tickets to reliable Zendesk portals operated by actual organizations, probably dropping remote-access trojans (RATs) immediately onto brokers’ machines. As soon as inside, they might pivot throughout company networks, quietly looting mental property or delicate knowledge.
These findings add uncomfortable context to the September 2025 Discord breach, which concerned Discord’s Zendesk-based help system being compromised. On the time, the incident was handled as an remoted knowledge seize – albeit a depressing one, with attackers lifting person names, e-mail addresses, billing particulars, IP logs, and government-issued IDs.
Nonetheless, ReliaQuest says this breach was doubtless the work of Scattered Lapsus$ Hunters, and the brand new pile of impersonation domains and agent-targeted tickets signifies the group is probably going doubling down on help platforms as a part of its assault technique. The gang even bragged on Telegram earlier this month: “Look forward to 2026, we’re working 3-4 campaigns atm,” and warned incident responders to look at their logs by January 2026 as a result of “#ShinyHuntazz is coming to gather your buyer databases.”
“It is doubtless that the Zendesk-related infrastructure we have uncovered is a part of one among these campaigns,” stated ReliaQuest. “Scattered Lapsus$ Hunters claimed duty for a compromise of the client success platform Gainsight in November 2025; it is realistically doable that Zendesk is the second of those marketing campaign targets promised on Telegram.”
Scattered Lapsus$ Hunters has already made headlines this 12 months with a serious marketing campaign in opposition to Salesforce. In October, the group launched a dark web leak site claiming knowledge theft from dozens of Salesforce clients. The cybercrime crew claims they stole up to a billion records, and threatened to publish them until its ransom calls for have been met.
This recent wave of assaults displays a structural shift. Slightly than hacking networks immediately or exploiting zero-days, trendy cybercriminals are weaponizing id and belief in SaaS tooling.
Scattered Lapsus$ Hunters themselves are a coalition of previously separate outfits: social engineering specialists from Scattered Spider, knowledge theft veterans from ShinyHunters, and the extortion-oriented Lapsus$ – successfully forming a “supergroup” tuned to the contours of 2025 enterprise IT.
That makes their curiosity in helpdesk infrastructure logical. Zendesk is utilized by greater than 100,000 corporations for inner and exterior help workflows. Compromise that, and chances are you’ll personal the entrance door to hundreds of corporations. ®
Source link
