A sophisticated, complex new cyber offensive has emerged from the “Scattered Lapsus$ Hunters,” a threat collective that has aggressively shifted toward exploiting supply-chain vulnerabilities.
This latest campaign targets Zendesk, a critical customer support platform, effectively turning a trusted business tool into a launchpad for corporate spying.
The attackers have successfully registered over 40 typosquatted domains, including deceptive examples like znedesk[.]com and vpn-zendesk[.]com.
These sites are meticulously designed to mimic legitimate login environments, hosting fraudulent Single Sign-On (SSO) portals that capture credentials from unsuspecting users.
The campaign’s infrastructure reveals a coordinated effort to bypass standard detection protocols. The domains were consistently registered through NiceNic and use Cloudflare-masked nameservers to hide their true hosting origins.
By using these hiding techniques, the actors ensure their phishing pages remain active long enough to harvest significant volumes of high-privilege credentials before defenders can react.
This demonstrates a clear, strategic evolution in their capabilities, allowing them to maintain operational secrecy while targeting widespread platforms used by global enterprises.
The impact of this targeted approach extends far beyond simple credential theft. Reliaquest security analysts identified the malware and noted that the campaign shares distinct domain registry characteristics with the group’s previous attacks on Salesforce in August 2025.
Once attackers bypass the initial authentication layer, they establish a persistent foothold that facilitates lateral movement across the corporate network.
This access allows them to steal highly sensitive customer data, including billing information and government IDs, mirroring the massive data theft seen in their September 2025 breach of Discord.
Weaponizing Support Tickets
The group’s most dangerous tactic involves the direct weaponization of legitimate support tickets to bypass traditional perimeter defenses.
Instead of relying solely on external phishing emails, they submit fraudulent tickets directly into an organization’s Zendesk portal.
These tickets typically masquerade as urgent system administration requests or password reset inquiries, creating a fabricated sense of urgency that compels support agents to act without verification.
Embedded within these tickets are links to the typosquatted domains or malicious payloads designed to compromise the endpoint.
When a help-desk employee interacts with the ticket, they accidentally trigger the download of Remote Access Trojans (RATs).
This grants the attackers persistent remote control, allowing them to execute commands and monitor activity.
.webp "Scattered Lapsus$ Hunters Registered 40+ Domains Mimicking Zendesk Environments 3")
The group has brazenly boasted about these complex operations, specifically warning incident response teams to watch their logs closely as they prepare to collect vital customer databases through the upcoming 2026 holiday season.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
