The Scattered Lapsus$ Hunters threat group appears to be targeting Zendesk users in a new phishing campaign, according to analysis from ReliaQuest.
The security firm said it has spotted Zendesk-related infrastructure, including more than 40 typosquatted domains and URLs impersonating the company, created over the last six months.
These domains aim to mimic organizations’ Zendesk environments and host phishing pages, researchers warned.
"These domains, such as znedesk[.]com or vpn-zendesk[.]com, are clearly designed to mimic legitimate Zendesk environments. Some host phishing pages, like fake single sign-on (SSO) portals that appear before Zendesk authentication," said ReliaQuest.
"It’s a classic tactic probably aimed at stealing credentials from unsuspecting users. We also identified Zendesk-related impersonating domains that contained multiple different organizations’ names or brands within the URL, making it even more likely that unsuspecting users would trust and click on these links."
The domains shared several registry details: registration through NiceNic, US and UK registrant contact information, and Cloudflare-masked nameservers.
"These elements are reminiscent of the recent Scattered Lapsus$ Hunters campaign that targeted customer relationship management platform Salesforce in August 2025," ReliaQuest said.
"The domains we uncovered while investigating the August campaign shared similarities with the Zendesk domains: formatting, registry characteristics, and the use of deceptive SSO portals."
Be wary of fraudulent Zendesk tickets
Meanwhile, ReliaQuest said it has observed fraudulent tickets being submitted to legitimate Zendesk portals operated by organizations using the software for customer service.
Pretexts include urgent system administration requests or fake password reset inquiries, and the aim is to infect support and help-desk personnel with remote access trojans (RATs) and other forms of malware.
In September, Scattered Lapsus$ Hunters targeted the communication platform Discord, accessing its Zendesk-based support system and exfiltrating a large number of names, email addresses, billing information, IP addresses, and government-issued IDs.
A message posted on a Telegram channel associated with the group in November claimed: "Wait for 2026, we are running 3-4 campaigns atm."
Another read: "all the IR (incident response) people should be at work watching their logs during the upcoming holidays till January 2026 bcuz #ShinyHuntazz is coming to collect your customer databases."
ReliaQuest said organizations should handle customer support platforms with the same level of security as their own core infrastructure.
"ReliaQuest anticipates that SLSH, or copycat threat actors, will likely continue abusing Zendesk and similar customer support platforms — typically monitored less rigorously than inbound email traffic — to access downstream customers' sensitive data and credentials," said the firm.
"These platforms now warrant equivalent security controls to core infrastructure, particularly since SLSH operates multiple, concurrent attack paths, i.e. external phishing domains coupled with internal ticket injection."
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- If you're not taking insider threats seriously, then the CrowdStrike incident should be a big wake up call
- Scattered Spider: Who are the alleged hackers behind the M&S cyber attack?
- Hackers behind Jaguar Land Rover announce their 'retirement' – should we believe them?
-
AWS rolls out new 'business continuity' features in wake of October outageNews The US-EAST-1 Region gets an extra tool to help customers during an outage
-
Asahi reveals 1.5 million customers impacted in cyber attackNews No ransom has been paid, said president and group CEO Atsushi Katsuki, and the company is restoring its systems
-
Impact of Asahi cyber attack laid bare as company confirms 1.5 million customers exposed
News No ransom has been paid, said president and group CEO Atsushi Katsuki, and the company is restoring its systems
-
If you're not taking insider threats seriously, then the CrowdStrike incident should be a big wake up callNews CrowdStrike has admitted an insider took screenshots of systems and shared them with hackers, and experts say it should serve as a wake up call for enterprises globally.
-
Shai-Hulud malware is back with a vengeance and has hit more than 19,000 GitHub repositories so far — here's what developers need to knowNews The malware has compromised more than 700 widely-used npm packages, and is spreading fast
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
The US, UK, and Australia just imposed sanctions on a Russian cyber crime group – 'we are exposing their dark networks and going after those responsible'News Media Land offers 'bulletproof' hosting services used for ransomware and DDoS attacks around the world
-
Thousands of ASUS routers are being hijacked in a state-sponsored cyber espionage campaignNews Researchers believe that Operation WrtHug is being carried out by Chinese state-sponsored hackers
-
IBM AIX users urged to patch immediately as researchers sound alarm on critical flawsNews Network administrators should patch the four IBM AIX flaws as soon as possible
-
Europol hails triple takedown with Rhadamanthys, VenomRAT, and Elysium sting operationsNews The Rhadamanthys infostealer operation is one of the latest victims of Europol's Operation Endgame, with more than a thousand servers taken down
