Scattered Lapsus$ Hunters may be circling Zendesk users for its latest extortion campaign, with new phishing domains and weaponized helpdesk tickets uncovered by ReliaQuest.

Researchers say they found more than 40 typosquatted and impersonation domains – names like “znedesk.com” or “vpn-zendesk.com” – designed to mirror Zendesk’s portals over the past six months. Some host fake single sign-on (SSO) pages aimed at harvesting credentials, while others are used to submit fraudulent tickets to helpdesk staff.

All share common registration hallmarks – the same registrar (NiceNic), US or UK contact details, and Cloudflare-masked nameservers – a profile almost identical to that of a previous impersonation campaign targeting Salesforce. That similarity leads security watchers to suspect the same criminal crew is behind both schemes: the “retired” Scattered Lapsus$ Hunters crew.

“These elements are reminiscent of the recent Scattered Lapsus$ Hunters campaign that targeted customer relationship management platform Salesforce in August 2025,” ReliaQuest’s threat researchers said in a blog post this week.

This is more than phishing noise. According to ReliaQuest, the attackers appear to be chaining support interface impersonation with targeted intrusions, submitting malicious tickets to legitimate Zendesk portals operated by real organizations, potentially dropping remote-access trojans (RATs) directly onto agents’ machines. Once inside, they could pivot across corporate networks, quietly looting intellectual property or sensitive data.

These findings add uncomfortable context to the September 2025 Discord breach, which involved Discord’s Zendesk-based support system being compromised. At the time, the incident was treated as an isolated data grab – albeit a miserable one, with attackers lifting user names, email addresses, billing details, IP logs, and government-issued IDs.

Ransomed CTO falls on sword, refuses to pay extortion demand

READ MORE

However, ReliaQuest says this breach was likely the work of Scattered Lapsus$ Hunters, and the new pile of impersonation domains and agent-targeted tickets indicates the group is likely doubling down on support platforms as part of its attack strategy. The gang even bragged on Telegram earlier this month: “Wait for 2026, we are running 3-4 campaigns atm,” and warned incident responders to watch their logs through January 2026 because “#ShinyHuntazz is coming to collect your customer databases.”

“It’s likely that the Zendesk-related infrastructure we’ve uncovered is part of one of these campaigns,” said ReliaQuest. “Scattered Lapsus$ Hunters claimed responsibility for a compromise of the customer success platform Gainsight in November 2025; it’s realistically possible that Zendesk is the second of these campaign targets promised on Telegram.”

Scattered Lapsus$ Hunters has already made headlines this year with a major campaign against Salesforce. In October, the group launched a dark web leak site claiming data theft from dozens of Salesforce customers. The cybercrime crew claims they stole up to a billion records, and threatened to publish them unless its ransom demands were met.

This fresh wave of attacks reflects a structural shift. Rather than hacking networks directly or exploiting zero-days, modern cybercriminals are weaponizing identity and trust in SaaS tooling.

Scattered Lapsus$ Hunters themselves are a coalition of previously separate outfits: social engineering specialists from Scattered Spider, data theft veterans from ShinyHunters, and the extortion-oriented Lapsus$ – effectively forming a “supergroup” tuned to the contours of 2025 enterprise IT.

That makes their interest in helpdesk infrastructure logical. Zendesk is used by more than 100,000 companies for internal and external support workflows. Compromise that, and you may own the front door to thousands of firms. ®