Scattered Lapsus$ Hunters targeted Zendesk users through more than 40 fake domains designed to steal credentials and install malware, security researchers said.
The fake domains, registered over the past six months, had the same setup as the one used in the cybercrime group’s August attack on Salesforce, according to a blog post published this week by ReliaQuest researchers who discovered the campaign. This suggests that the group shifted its focus to Zendesk, a customer support platform used by over 100,000 organizations.
Some domains, like znedesk[.]com and vpn-zendesk[.]com, hosted fake login pages that looked like real Zendesk sign-on screens, ReliaQuest said. Others incorporated company names in the web address to make the sites appear legitimate. “We also identified Zendesk-related impersonating domains that contained multiple different organizations’ names or brands within the URL, making it even more likely that unsuspecting users would trust and click on these links,” the researchers wrote.
All the domains were registered through NiceNic, with US and UK contact details and Cloudflare-masked nameservers — the same pattern ReliaQuest observed in the Salesforce campaign.
Scattered Lapsus$ Hunters is a coalition formed in August 2025 from three separate cybercrime gangs: Scattered Spider, Lapsus$, and ShinyHunters. Since forming, the collective launched a major Salesforce campaign in August and October that exposed data from dozens of companies, including Toyota, FedEx, and Disney.
Fake support tickets hit helpdesks
Beyond the fake domains, the attackers also submitted fake tickets to real Zendesk portals, ReliaQuest said. These tickets posed as urgent IT requests or password resets to trick help desk workers into downloading malware or giving up their login details.
“Targeting help-desk teams with these kinds of tactics often involves well-crafted pretexts, like urgent system administration requests or fake password reset inquiries,” ReliaQuest wrote. “The goal is to trick support staff into handing over credentials or compromising their endpoints.”
Help desk staff made good targets because they typically have access to many systems across an organization, making a single compromised account particularly valuable to attackers, the researchers said.
Scattered Lapsus$ Hunters has a history of using social engineering to compromise help desks. The group perfected calling corporate help desks and impersonating employees to trick support staff into resetting passwords and adding unauthorized devices to multi-factor authentication systems, tactics security firms have documented in previous attacks on airlines and retailers.
Discord breach may be connected
The Zendesk campaign may not be an isolated incident. Discord said on October 9 that attackers breached its customer service provider, 5CA, exposing data from about 70,000 users who had submitted government IDs for age verification. The breach also exposed support ticket data for users who had contacted Discord’s customer support or trust and safety teams.
The Zendesk campaign likely was one of several attacks Scattered Lapsus$ Hunters promised in early November Telegram posts, ReliaQuest said.
Scattered Lapsus$ Hunters initially denied involvement in the Discord attack but later posted on Telegram that they knew who was responsible, according to the researchers.
“Wait for 2026, we are running 3-4 campaigns atm [at the moment],” the researchers wrote, quoting the group’s message. “all the IR [incident response] people should be at work watching their logs during the upcoming holidays till January 2026 bcuz #ShinyHuntazz is coming to collect your customer databases.”
The group also claimed it compromised the customer success platform Gainsight earlier this month. “It’s realistically possible that Zendesk is the second of these campaign targets promised on Telegram,” ReliaQuest said.
Possibility of copycats
While the infrastructure patterns pointed to Scattered Lapsus$ Hunters, ReliaQuest said in the blog post that copycats inspired by the group’s success couldn’t be ruled out.
“It’s also a realistic possibility that the success of Zendesk targeting and similar supply-chain attacks has inspired copycat actors or splinter groups from Scattered Lapsus$ Hunters,” the researchers wrote. “We’ve seen this kind of pattern before, like with Black Basta, where successor groups kept using the same playbook even after law enforcement disrupted the original operation.”
Customer support platforms make good targets because companies often don’t monitor them as closely as email, yet they give attackers access to credentials and customer data across many organizations, the researchers said.
Despite announcing in September that the group was “going dark” and shutting down operations, Scattered Lapsus$ Hunters later promised to return in 2026 with a new subscription-based “extortion-as-a-service” platform, according to Telegram posts attributed to the group.
ReliaQuest said it shared its findings with Zendesk. Zendesk did not immediately respond to CSO’s request for comment.
No Responses