The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to know
The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
The Scattered Lapsus$ Hunters threat group appears to be targeting Zendesk users in a new phishing campaign, according to analysis from ReliaQuest.
The security firm said it has spotted Zendesk-related infrastructure, including more than 40 typosquatted domains and URLs impersonating the company, created over the last six months.
These domains aim to mimic organizations’ Zendesk environments and host phishing pages, researchers warned.
"These domains, such as znedesk[.]com or vpn-zendesk[.]com, are clearly designed to mimic legitimate Zendesk environments. Some host phishing pages, like fake single sign-on (SSO) portals that appear before Zendesk authentication," said ReliaQuest.
"It’s a classic tactic probably aimed at stealing credentials from unsuspecting users. We also identified Zendesk-related impersonating domains that contained multiple different organizations’ names or brands within the URL, making it even more likely that unsuspecting users would trust and click on these links."
The domains shared several registry details: registration through NiceNic, US and UK registrant contact information, and Cloudflare-masked nameservers.
"These elements are reminiscent of the recent Scattered Lapsus$ Hunters campaign that targeted customer relationship management platform Salesforce in August 2025," ReliaQuest said.
"The domains we uncovered while investigating the August campaign shared similarities with the Zendesk domains: formatting, registry characteristics, and the use of deceptive SSO portals."
Be wary of fraudulent Zendesk tickets
Meanwhile, ReliaQuest said it has observed fraudulent tickets being submitted to legitimate Zendesk portals operated by organizations using the software for customer service.
Pretexts include urgent system administration requests or fake password reset inquiries, and the aim is to infect support and help-desk personnel with remote access trojans (RATs) and other forms of malware.
In September, Scattered Lapsus$ Hunters targeted the communication platform Discord, accessing its Zendesk-based support system and exfiltrating a large number of names, email addresses, billing information, IP addresses, and government-issued IDs.
A message posted on a Telegram channel associated with the group in November claimed: "Wait for 2026, we are running 3-4 campaigns atm."
Another read: "all the IR (incident response) people should be at work watching their logs during the upcoming holidays till January 2026 bcuz #ShinyHuntazz is coming to collect your customer databases."
ReliaQuest said organizations should handle customer support platforms with the same level of security as their own core infrastructure.
"ReliaQuest anticipates that SLSH, or copycat threat actors, will likely continue abusing Zendesk and similar customer support platforms — typically monitored less rigorously than inbound email traffic — to access downstream customers' sensitive data and credentials," said the firm.
"These platforms now warrant equivalent security controls to core infrastructure, particularly since SLSH operates multiple, concurrent attack paths, i.e. external phishing domains coupled with internal ticket injection."
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- If you're not taking insider threats seriously, then the CrowdStrike incident should be a big wake up call
- Scattered Spider: Who are the alleged hackers behind the M&S cyber attack?
- Hackers behind Jaguar Land Rover announce their 'retirement' – should we believe them?
-
Google says AI is now being used to build zero-day exploitsNews Google cyber researchers think they’ve found the first AI-generated zero-day exploit
-
Changes to EU AI Act implementation deadlines welcomed by industryNews New implementation deadlines for the EU AI Act could help remove “genuine friction” for European companies
-
Claude users beware, hackers are using a fake website to dupe developers and deliver malwareNews 'Beagle' is deployed through a Dynamic Link Library (DLL) sideloading chain, and gives attackers remote access to the system
-
Beware of emails threatening a code of conduct reviewNews A widespread phishing campaign has targeted tens of thousands of employees
-
Ransomware negotiator sentenced for role in major cyber crime groupNews Deniss Zolotarjovs was a key player in a group associated with Conti
-
‘The inbox is no longer the only frontline’: Phishing attacks are evolving as cyber criminals ramp up ‘multi-channel’ campaigns over email and Microsoft TeamsNews New research shows threat actors are ramping up “multi-channel” phishing attacks by combining lures via email and Microsoft Teams
-
North Korean hackers are duping freelance developers with fake interviews to steal cryptocurrency and deliver malware — Sophos warns the 'Nickel Alley' group is using LinkedIn, Upwork, and Fiverr to target victimsNews A fake interview process uses coding tests and repo downloads to deliver malware
-
Threat actors ditch ‘spray and pray’ attacks in shift to targeted exploitationNews A dip in ransomware volumes points to a more targeted approach focused on vulnerability exploitation
-
Brit pleads guilty amid Scattered Spider hacking spree claimsNews Tyler Robert Buchanan faces 10 years in jail if found guilty
-
Tycoon 2FA is down, but not out – researchers warn the phishing as a service operation is still a huge threat to businesses
News Millions of Tycoon 2FA attacks are still hitting businesses, according to research from Barracuda
