The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to know

The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware

Emma Woollacott's avatar
By
published
in News
Zendesk logo and branding pictured on a smartphone screen.
(Image credit: Getty Images)

The Scattered Lapsus$ Hunters threat group appears to be targeting Zendesk users in a new phishing campaign, according to analysis from ReliaQuest.

The security firm said it has spotted Zendesk-related infrastructure, including more than 40 typosquatted domains and URLs impersonating the company, created over the last six months.

These domains aim to mimic organizations’ Zendesk environments and host phishing pages, researchers warned.

"These domains, such as znedesk[.]com or vpn-zendesk[.]com, are clearly designed to mimic legitimate Zendesk environments. Some host phishing pages, like fake single sign-on (SSO) portals that appear before Zendesk authentication," said ReliaQuest.

"It’s a classic tactic probably aimed at stealing credentials from unsuspecting users. We also identified Zendesk-related impersonating domains that contained multiple different organizations’ names or brands within the URL, making it even more likely that unsuspecting users would trust and click on these links."

The domains shared several registry details: registration through NiceNic, US and UK registrant contact information, and Cloudflare-masked nameservers.

"These elements are reminiscent of the recent Scattered Lapsus$ Hunters campaign that targeted customer relationship management platform Salesforce in August 2025," ReliaQuest said.

"The domains we uncovered while investigating the August campaign shared similarities with the Zendesk domains: formatting, registry characteristics, and the use of deceptive SSO portals."

Be wary of fraudulent Zendesk tickets

Meanwhile, ReliaQuest said it has observed fraudulent tickets being submitted to legitimate Zendesk portals operated by organizations using the software for customer service.

Pretexts include urgent system administration requests or fake password reset inquiries, and the aim is to infect support and help-desk personnel with remote access trojans (RATs) and other forms of malware.

In September, Scattered Lapsus$ Hunters targeted the communication platform Discord, accessing its Zendesk-based support system and exfiltrating a large number of names, email addresses, billing information, IP addresses, and government-issued IDs.

A message posted on a Telegram channel associated with the group in November claimed: "Wait for 2026, we are running 3-4 campaigns atm."

Another read: "all the IR (incident response) people should be at work watching their logs during the upcoming holidays till January 2026 bcuz #ShinyHuntazz is coming to collect your customer databases."

ReliaQuest said organizations should handle customer support platforms with the same level of security as their own core infrastructure.

"ReliaQuest anticipates that SLSH, or copycat threat actors, will likely continue abusing Zendesk and similar customer support platforms — typically monitored less rigorously than inbound email traffic — to access downstream customers' sensitive data and credentials," said the firm.

"These platforms now warrant equivalent security controls to core infrastructure, particularly since SLSH operates multiple, concurrent attack paths, i.e. external phishing domains coupled with internal ticket injection."

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

MORE FROM ITPRO

Emma Woollacott
Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.

Latest
You might also like
View More ▸