Full Report
ReliaQuest finds fresh crop of phishing domains and toxic tickets Scattered Lapsus$ Hunters may be circling Zendesk users for its latest extortion campaign, with new phishing domains and weaponized helpdesk tickets uncovered by ReliaQuest.…
Analysis Summary
# Threat Actor: Scattered Lapsus$ Hunters
## Attribution & Identity
* **Identification:** A coalition of previously separate outfits, described as a "supergroup."
* **Aliases/Associated Groups:** Formed by social engineering specialists from **Scattered Spider**, data theft veterans from **ShinyHunters**, and the extortion-oriented **Lapsus$**.
## Activity Summary
The actor is noted for an ongoing extortion campaign focused on weaponizing trust in Software-as-a-Service (SaaS) tooling, specifically customer support platforms.
* **Recent Campaign Focus:** Circularizing Zendesk users via a fresh crop of phishing domains and weaponized helpdesk tickets.
* **Threat Posturing:** The group recently claimed on Telegram they are "running 3-4 campaigns atm" and warned incident responders to anticipate a data collection phase ("#ShinyHuntazz is coming to collect your customer databases") through January 2026.
* **Previous Activity:** Executed a major campaign against **Salesforce** in August 2025, claiming data theft from dozens of customers and threatening data leaks until ransom demands were met.
* **Potential Prior Link:** The compromise of Discord's Zendesk support system is suspected by ReliaQuest to have been the work of this group, suggesting a sustained interest in support platforms.
## Tactics, Techniques & Procedures
* **Interface Impersonation and Phishing:** Deploying typosquatted and lookalike phishing domains to mirror legitimate service portals (e.g., "znedesk.com," "vpn-zendesk.com").
* **Credential Harvesting:** Hosting fake Single Sign-On (SSO) pages on these domains aimed at harvesting user credentials.
* **Support Ticket Weaponization:** Submitting fraudulent helpdesk tickets to legitimate portals operated by target organizations.
* **Initial Access via Agent Compromise:** Submitting malicious tickets potentially to drop Remote Access Trojans (RATs) directly onto the machines of helpdesk agents.
* **Post-Compromise Activity:** Utilizing initial access to pivot across corporate networks for quiet data looting (intellectual property or sensitive data).
* **Methodological Shift:** Moving towards weaponizing identity and trust within SaaS tooling rather than direct network hacking or zero-day exploitation.
* **MITRE ATT&CK IDs:** Not explicitly mentioned in the provided text, but core activities align with **Phishing (T1566)** and **Valid Accounts (T1078)** leading to **Remote Access Software (T1219)** or **Ingress Tool Transfer (T1105)**.
## Targeting
* **Sectors:** Companies utilizing customer relationship management (CRM) platforms, specifically **Zendesk** and **Salesforce**. Broadly targets organizations whose support workflows rely heavily on SaaS tooling.
* **Geography:** Based on domain registration hallmarks (US or UK contact details), targeting appears focused on organizations utilizing these platforms globally, with infrastructure hints pointing to US/UK presence or operational familiarity.
* **Victims:** Zendesk users broadly; specific organizations mentioned include **Discord** (previous suspected compromise). Dozens of Salesforce customers were targeted in the prior campaign.
## Tools & Infrastructure
* **Malware Families Used:** Implied use of **Remote Access Trojans (RATs)** dropped via malicious tickets.
* **Infrastructure (C2, domains, IPs):**
* Discovered over 40 **typosquatted and impersonation domains** targeting Zendesk over the last six months.
* **Registration Hallmarks:** Shared use of registrar **NiceNic**, common US or UK contact details, and **Cloudflare-masked nameservers**.
## Implications
Scattered Lapsus$ Hunters represent a highly advanced, collaborative threat group that leverages social engineering and trust in enterprise SaaS infrastructure to gain initial access. Their focus on helpdesk systems like Zendesk provides a high-yield opportunity, potentially granting them "the front door to thousands of firms" by compromising the agents who manage customer access and support. The group is actively running multiple large-scale campaigns, indicating significant operational capacity aimed at data theft and extortion through 2026.
## Mitigations
* **Enhance Support Portal Security:** Review and harden access controls for all support interface portals (e.g., Zendesk).
* **Agent Security Posture:** Implement strict controls regarding file execution or application installation triggered by support tickets or interactions from unknown external sources.
* **Monitor for Phishing:** Actively monitor for newly registered, lookalike domains that mimic official corporate portals.
* **Infrastructure Monitoring:** Watch for unusual registration patterns in domains (e.g., same registrar, masked infrastructure) that mirror past campaign hallmarks.
* **Endpoint Detection & Response (EDR):** Ensure EDR/visibility is robust on agent workstations that interact with ticketing systems to detect RAT execution.