{"id":5990,"date":"2025-11-28T10:17:38","date_gmt":"2025-11-28T10:17:38","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5990"},"modified":"2025-11-28T10:17:38","modified_gmt":"2025-11-28T10:17:38","slug":"scattered-lapsus-hunters-target-zendesk-users-with-fake-domains","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5990","title":{"rendered":"Scattered Lapsus$ Hunters target Zendesk users with fake domains"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Scattered Lapsus$ Hunters targeted Zendesk users through more than 40 fake domains designed to steal credentials and install malware, security researchers said.<\/p>\n

The fake domains, registered over the past six months, had the same setup as the one used in the cybercrime group\u2019s August attack on Salesforce, according to a blog post<\/a> published this week by ReliaQuest researchers who discovered the campaign. This suggests that the group shifted its focus to Zendesk, a customer support platform used by over 100,000 organizations.<\/p>\n

Some domains, like znedesk[.]com and vpn-zendesk[.]com, hosted fake login pages that looked like real Zendesk sign-on screens, ReliaQuest said. Others incorporated company names in the web address to make the sites appear legitimate. \u201cWe also identified Zendesk-related impersonating domains that contained multiple different organizations\u2019 names or brands within the URL, making it even more likely that unsuspecting users would trust and click on these links,\u201d the researchers wrote.<\/p>\n

All the domains were registered through NiceNic, with US and UK contact details and Cloudflare-masked nameservers \u2014 the same pattern ReliaQuest observed in the Salesforce campaign.<\/p>\n

Scattered Lapsus$ Hunters is a coalition formed in August 2025 from three separate cybercrime gangs: Scattered Spider, Lapsus$, and ShinyHunters. Since forming, the collective launched a major Salesforce campaign<\/a> in August and October that exposed data from dozens of companies, including Toyota, FedEx, and Disney.<\/p>\n

Fake support tickets hit helpdesks<\/h2>\n

Beyond the fake domains, the attackers also submitted fake tickets to real Zendesk portals, ReliaQuest said. These tickets posed as urgent IT requests or password resets to trick help desk workers into downloading malware or giving up their login details.<\/p>\n

\u201cTargeting help-desk teams with these kinds of tactics often involves well-crafted pretexts, like urgent system administration requests or fake password reset inquiries,\u201d ReliaQuest wrote. \u201cThe goal is to trick support staff into handing over credentials or compromising their endpoints.\u201d<\/p>\n

Help desk staff made good targets because they typically have access to many systems across an organization, making a single compromised account particularly valuable to attackers, the researchers said.<\/p>\n

Scattered Lapsus$ Hunters has a history of using social engineering to compromise help desks. The group perfected calling corporate help desks and impersonating employees to trick support staff into resetting passwords and adding unauthorized devices to multi-factor authentication systems, tactics security firms have documented in previous attacks on airlines and retailers<\/a>.<\/p>\n

Discord breach may be connected<\/h2>\n

The Zendesk campaign may not be an isolated incident. Discord said on October 9<\/a> that attackers breached its customer service provider, 5CA, exposing data from about 70,000 users who had submitted government IDs for age verification. The breach also exposed support ticket data for users who had contacted Discord\u2019s customer support or trust and safety teams.<\/p>\n

The Zendesk campaign likely was one of several attacks Scattered Lapsus$ Hunters promised in early November Telegram posts, ReliaQuest said.<\/p>\n

Scattered Lapsus$ Hunters initially denied involvement in the Discord attack but later posted on Telegram that they knew who was responsible, according to the researchers.<\/p>\n

\u201cWait for 2026, we are running 3-4 campaigns atm [at the moment],\u201d the researchers wrote, quoting the group\u2019s message. \u201call the IR [incident response] people should be at work watching their logs during the upcoming holidays till January 2026 bcuz #ShinyHuntazz is coming to collect your customer databases.\u201d<\/p>\n

The group also claimed it compromised the customer success platform Gainsight<\/a> earlier this month. \u201cIt\u2019s realistically possible that Zendesk is the second of these campaign targets promised on Telegram,\u201d ReliaQuest said.<\/p>\n

Possibility of copycats<\/h2>\n

While the infrastructure patterns pointed to Scattered Lapsus$ Hunters, ReliaQuest said in the blog post that copycats inspired by the group\u2019s success couldn\u2019t be ruled out.<\/p>\n

\u201cIt\u2019s also a realistic possibility that the success of Zendesk targeting and similar supply-chain attacks has inspired copycat actors or splinter groups from Scattered Lapsus$ Hunters,\u201d the researchers wrote. \u201cWe\u2019ve seen this kind of pattern before, like with Black Basta, where successor groups kept using the same playbook even after law enforcement disrupted the original operation.\u201d<\/p>\n

Customer support platforms make good targets because companies often don\u2019t monitor them as closely as email, yet they give attackers access to credentials and customer data across many organizations, the researchers said.<\/p>\n

Despite announcing in September<\/a> that the group was \u201cgoing dark\u201d and shutting down operations, Scattered Lapsus$ Hunters later promised to return in 2026 with a new subscription-based \u201cextortion-as-a-service\u201d platform, according to Telegram posts<\/a> attributed to the group.<\/p>\n

ReliaQuest said it shared its findings with Zendesk. Zendesk did not immediately respond to CSO\u2019s request for comment.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Scattered Lapsus$ Hunters targeted Zendesk users through more than 40 fake domains designed to steal credentials and install malware, security researchers said. The fake domains, registered over the past six months, had the same setup as the one used in the cybercrime group\u2019s August attack on Salesforce, according to a blog post published this week […]<\/p>\n","protected":false},"author":0,"featured_media":5991,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5990","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5990"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5990"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5990\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5991"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5990"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5990"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5990"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}