The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to know
The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
The Scattered Lapsus$ Hunters threat group appears to be targeting Zendesk users in a new phishing campaign, according to analysis from ReliaQuest.
The security firm said it has spotted Zendesk-related infrastructure, including more than 40 typosquatted domains and URLs impersonating the company, created over the last six months.
These domains aim to mimic organizations’ Zendesk environments and host phishing pages, researchers warned.
"These domains, such as znedesk[.]com or vpn-zendesk[.]com, are clearly designed to mimic legitimate Zendesk environments. Some host phishing pages, like fake single sign-on (SSO) portals that appear before Zendesk authentication," said ReliaQuest.
"It’s a classic tactic probably aimed at stealing credentials from unsuspecting users. We also identified Zendesk-related impersonating domains that contained multiple different organizations’ names or brands within the URL, making it even more likely that unsuspecting users would trust and click on these links."
The domains shared several registry details: registration through NiceNic, US and UK registrant contact information, and Cloudflare-masked nameservers.
"These elements are reminiscent of the recent Scattered Lapsus$ Hunters campaign that targeted customer relationship management platform Salesforce in August 2025," ReliaQuest said.
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
"The domains we uncovered while investigating the August campaign shared similarities with the Zendesk domains: formatting, registry characteristics, and the use of deceptive SSO portals."
Be wary of fraudulent Zendesk tickets
Meanwhile, ReliaQuest said it has observed fraudulent tickets being submitted to legitimate Zendesk portals operated by organizations using the software for customer service.
Pretexts include urgent system administration requests or fake password reset inquiries, and the aim is to infect support and help-desk personnel with remote access trojans (RATs) and other forms of malware.
In September, Scattered Lapsus$ Hunters targeted the communication platform Discord, accessing its Zendesk-based support system and exfiltrating a large number of names, email addresses, billing information, IP addresses, and government-issued IDs.
A message posted on a Telegram channel associated with the group in November claimed: "Wait for 2026, we are running 3-4 campaigns atm."
Another read: "all the IR (incident response) people should be at work watching their logs during the upcoming holidays till January 2026 bcuz #ShinyHuntazz is coming to collect your customer databases."
ReliaQuest said organizations should handle customer support platforms with the same level of security as their own core infrastructure.
"ReliaQuest anticipates that SLSH, or copycat threat actors, will likely continue abusing Zendesk and similar customer support platforms — typically monitored less rigorously than inbound email traffic — to access downstream customers' sensitive data and credentials," said the firm.
"These platforms now warrant equivalent security controls to core infrastructure, particularly since SLSH operates multiple, concurrent attack paths, i.e. external phishing domains coupled with internal ticket injection."
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- If you're not taking insider threats seriously, then the CrowdStrike incident should be a big wake up call
- Scattered Spider: Who are the alleged hackers behind the M&S cyber attack?
- Hackers behind Jaguar Land Rover announce their 'retirement' – should we believe them?
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.
-
The NCSC wants to build an AI-powered 'Cyber Shield' to protect the UK from hackersNews The aim is to create a national, sovereign defence capability to protect government agencies and critical infrastructure
-
IBM targets data center efficiency gains with new z17 and LinuxONE offeringsNews Cost, data center footprint, and performance improvements are coming for IBM Z and LinuxONE customers
-
Multi-channel phishing attacks: How to manage the riskIn-depth Attackers are evolving beyond email towards phishing across multiple channels. Why is this, and what can be done to manage the risk?
-
Hackers are posing as Interpol to target small businesses – here's what you need to knowNews Small businesses are warned to think twice before clicking on links
-
Opera browser thinks it has the solution to stopping ClickFix malware attacksNews The browser company is targeting a growing source of malicious links with its new Paste Protect feature
-
‘Every hour ransomware goes undetected drastically increases its potential blast radius’: Hackers are breaching networks and laying low for longer – and nearly half of firms don’t realize until data is stolenNews An ExtraHop survey found more intrusions are going undetected, leading to longer dwell times
-
‘Hacking groups have the transport network firmly in their sights’: Network Rail is battling a torrent of cyber threatsNews FoI requests have revealed that the rail operator is under increasing attack, as cyber criminals set their sights on the transport sector
-
‘This operation marked a shift in strategy’: Three notorious malware networks have been taken down using RICO legislationNews The action involved the use of US racketeering laws to treat two malware families as part of a single conspiracy
-
‘They risk damaging confidence’: A Canadian health board outraged staff with phishing tests offering paid leave – experts say it shows why you need to be careful with cyber awareness campaignsNews Phishing tests require a delicate touch, emulating realism while not “exploiting goodwill”
-
Hackers are capitalizing on AI hype to ramp up social engineering attacks – and they're using big brands like Anthropic, OpenAI, and DeepSeek as ‘bait’ to lure victimsNews Microsoft says cyber criminals are impersonating popular AI platforms to deliver malware