Full Report
Telegram posts promise up to $1,000 per call as gang refines IT helpdesk ruse Prolific cybercrime crew Scattered Lapsus$ Hunters (SLSH) is reportedly recruiting women in the hope of improving its social engineering success.…
Analysis Summary
# Threat Actor: Scattered Lapsus$ Hunters (SLSH)
## Attribution & Identity
**Actor Identification:** Prolific cybercrime crew known as Scattered Lapsus$ Hunters (SLSH).
**Known Aliases and Associated Groups:** Believed to be part of the "cybercrime triad" which includes 'Scattered Spider'.
## Activity Summary
SLSH is actively recruiting individuals via Telegram, specifically targeting women, to improve the success rate of their social engineering operations targeted at IT helpdesks. They are offering payments of between \$500 and \$1,000 per successful call. The group has previously advertised paying bounties to individuals for relentlessly harassing company executives until extortion demands are met.
## Tactics, Techniques & Procedures
- **Social Engineering/Impersonation:** Deceiving IT helpdesk staff by using specific vocal profiles (currently seeking female voices) to bypass established security training.
- **Credential Harvesting:** The primary goal of the social engineering is to deceive helpdesks into handing over user credentials later used for network access.
- **Recruitment/Crowdsourcing:** Utilizing platforms like Telegram to recruit "agents" for specific attacks and operations, offering financial incentives.
- **Harassment Campaigns:** Orchestrating persistent contact/harassment against company executives to force compliance with extortion demands.
| Tactic | Technique | MITRE ATT&CK ID |
| :--- | :--- | :--- |
| Initial Access (Social Engineering) | Voice Impersonation | T1566.001 (Spearphishing Link/Attachment - adapted conceptually for voice) |
| Command and Control | In-Person Collection (Conceptual for helpdesk interaction) | T1003 (OS Credential Dumping - Conceptual outcome) |
*(Note: Specific MITRE ATT&CK IDs were not explicitly listed in the source text, but classifications based on described MO were inferred.)*
## Targeting
- **Sectors:** Not explicitly detailed, but operations focus on organizations with IT helpdesks and corporate executives vulnerable to extortion.
- **Geography:** Not specified, though recruitment occurs via Telegram.
- **Victims:** Organizations targeted for credential harvesting via IT helpdesks and executives targeted for extortion campaigns.
## Tools & Infrastructure
- **Malware Families Used:** None explicitly mentioned in this context. The primary "tool" appears to be human assets recruited for social engineering.
- **Infrastructure:** Primarily uses **Telegram** channels for recruitment advertising and coordination.
## Implications
SLSH is demonstrating a calculated and evolving approach to cybercrime by actively 'crowdsourcing' human assets with specific attributes (female voices) to counter existing security defenses (IT helpdesk training). This suggests an attempt to neutralize common security controls aimed at spotting non-traditional attacker profiles, indicating a high level of operational maturity behind their social engineering campaigns.
## Mitigations
- **Identity Verification Mandate:** Organizations must enforce strict, multi-factor identity verification protocols for all credential resets and system access requests initiated via phone calls to IT helpdesks.
- **Voice Profiling Awareness:** IT helpdesk staff should be trained to recognize and be highly suspicious of voice-based social engineering attempts, especially concerning requests for sensitive information or password resets.
- **Training on Evolving Avenues:** Helpdesks must be made aware of shifting tactics, such as the use of specific voice profiles (e.g., female impersonation) designed to circumvent skepticism.
- **Internal Verification:** Implement mandatory secondary verification methods (e.g., video calls, pre-established internal codes/out-of-band communication) before granting access based on initial contact.