ReliaQuest’s Threat Research team has uncovered a significant new campaign from the notorious threat collective “Scattered Lapsus$ Hunters,” this time targeting users and organizations that leverage the widely adopted customer support platform Zendesk.
The investigation revealed more than 40 typosquatted and impersonating domains registered within the past six months, signaling an escalation in the group’s ongoing supply-chain attack strategy.
The identified malicious domains, including znedesk[.]com and vpn-zendesk[.]com, are crafted to mimic legitimate Zendesk environments closely.
Some of these domains are hosting phishing pages with fake single sign-on (SSO) portals designed to appear before Zendesk authentication, a classic credential-harvesting technique targeting unsuspecting users.
Additionally, ReliaQuest identified domains containing multiple different organizations’ names or brands within their URLs, further increasing the likelihood that users would trust and interact with these malicious links.
The discovered infrastructure shared distinct characteristics: domains were registered through NiceNic with US and UK registrant contact information, and nameservers were masked through Cloudflare.
These registry details mirror patterns observed in Scattered Lapsus$ Hunters’ previous campaign targeting Salesforce in August 2025, suggesting a deliberate operational playbook.
Beyond external phishing domains, researchers discovered evidence of fraudulent tickets being submitted directly to legitimate Zendesk portals.
Broader Campaign Context
These fake submissions target support and help-desk personnel with crafted pretexts such as urgent system administration requests or password reset inquiries designed to distribute remote access trojans (RATs) and other malware.
This multipronged approach gives attackers multiple vectors to compromise organizational networks.
This Zendesk-focused operation arrives following the group’s September 2025 breach of Discord’s Zendesk-based support system, which exposed sensitive user data including names, email addresses, billing information, and government-issued ID information.
Previously, this incident appeared isolated; however, the latest findings suggest Scattered Lapsus$ Hunters is executing a coordinated supply-chain attack strategy targeting SaaS platforms.
In a recent Telegram post, the group claimed: “Wait for 2026, we are running 3-4 campaigns atm [at the moment].”
Another message warned: “all the IR people should be at work watching their logs during the upcoming holidays till January 2026 bcuz #ShinyHuntazz is coming to collect your customer databases.”
The Zendesk infrastructure likely represents one of these announced campaigns, potentially complementing the group’s claimed November 2025 compromise of customer success platform Gainsight.
SaaS Targeting Pattern
Scattered Lapsus$ Hunters’ focus on customer support platforms represents a sophisticated evolution in supply-chain attack methodology.
The collective has previously targeted high-value SaaS platforms including Salesforce, Salesloft, Drift, and Gainsight each offering widespread organizational adoption and access to downstream customer data.
Customer support platforms are desirable targets because they often receive less security scrutiny than core infrastructure, yet grant attackers access to credentials and customer information.
Organizations using Zendesk should immediately implement robust security measures.
These include requiring multifactor authentication with hardware security keys for all administrative and support accounts, deploying proactive domain monitoring and DNS filtering to detect typosquatted domains, and limiting employees who can receive direct messages through Zendesk chat.
Implementing content filtering to detect phishing links and credential-request patterns is essential.
ReliaQuest anticipates continued abuse of customer support platforms. Organizations must treat these platforms as critical infrastructure, requiring the same security rigor applied to core systems.
Early detection of malicious domain registration patterns and continuous security monitoring through the upcoming holiday period are essential defensive strategies.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.