The Next Target of Scattered LAPSUS$ Hunters – Zendesk

This tactic reminisces of earlier attacks by a ransomware group calling themselves Scattered LAPSUS$ Hunters (SLSH), including the SaaS Sales Force attack, but also attacks on the retail, insurance and aviation industry. [0] SLSH rely both on social engineering in combination with phishing campaigns using typosquatted domains and tools like Evilginx to bypass multifactor authentication (MFA).[2]

Members of SLSH are believed to be part of the decentralized online collective known as “Hacker Com”, consisting of mostly young English-speaking hackers, SIM swappers and extortionists. Members of Hacker Com have previously come together under different brands like Octo Tempest (Scattered Spider), Strawberry Tempest (LAPSUS$), and ShinyHunters since at least 2021.

Members are skilled at social-engineering, SIM-Swapping, lateral movement within networks and data exfiltration.

A number of members of the community have been arrested, mostly men in the ages around 16-22 years old, but the group has proved resilient and continues to conduct high-profile cyberattacks.[3]

SLSH latest string of high-profile ransomware attacks includes the British car manufacturer Jaguar Land Rover, the Salesloft Drift breach and Gainsight. The Salesforce supply chain attack also affected Nordic companies. Pandora openly admitted the breach while other companies appeared on the leak site but no official announcements were made. [4]

Successful compromise of a corporate Zendesk instance grants access to customer support tickets, which often contain sensitive PII, internal process data, and occasionally shared credentials or API keys. This data will likely be used for further extortion or lateral movement into the customers’ internal networks.

Recommendation

The previously identified targeted social engineering campaign aimed at Zendesk users, likely leveraged the newly identified infrastructure to facilitate supply chain attacks similar to the previous Salesforce incident.

A high-volume phishing and social engineering campaign is likely already active and the attackers will almost certainly use Evilginx-style AiTM (Adversary-in-the-Middle) attacks to bypass standard MFA, targeting support staff or administrators to hijack sessions, and get access to authentication credentials. Users of Zendesk should be alert to possible attacks and especially warn their helpdesk personnel.  

1. Strengthen Social Engineering Defenses 

Since the primary attack vector for this group relies on human manipulation rather than technical exploits, organizations must prioritize the human element.

• Train help desk and IT support staff on advanced verification procedures for access requests, password resets, and system changes.
• Implement strict identity verification protocols beyond standard questions, especially for privileged access requests.
• Conduct regular vishing and phishing simulations targeting both general employees and help desk personnel.
• Create awareness about MFA fatigue attacks and credential harvesting techniques.
• Treat your Helpdesk and IT support like first line defenders. (See TS-ThreatInsight-2025-48: Take Aways from the SalesLoft Drift Breach for more information).

2. Harden SaaS Platform Security 

Given that SLSH has targeted Salesforce, Gainsight, and likely Zendesk among others widely-used SaaS platforms through supply chain attacks, your SaaS supply chain security becomes a high priority.

• Restrict powerful permissions like “API Enabled” and “Manage Connected Apps” to trusted administrators only
• Implement IP allowlisting for user profiles and connected apps
• Deploy automated monitoring to detect anomalous downloads or suspicious API activity
• Enforce phishing-resistant MFA (hardware security keys) for all administrative accounts
• Regularly audit connected apps and revoke unused or suspicious OAuth tokens immediately

3. Monitor for Impersonating Domains

The threat actors register domains following predictable patterns such as “company-okta[.]com,” “ticket-companyname[.]com,” and “company-salesforce[.]com”, it is essential to proactively monitor for typosquatted domains.

• Implement Digital Risk Protection (DRP) solutions to detect brand impersonation early.
• Monitor and search for suspicious domain registrations containing your organization name combined with keywords like: okta, sso, helpdesk, servicedesk, ticket, salesforce, Zendesk. Block any newly registered suspicious domains.

References

[1] https://reliaquest.com/blog/zendesk-scattered-lapsus-hunters-latest-target/
[2] https://reliaquest.com/blog/threat-spotlight-shinyhunters-data-breach-targets-salesforce-amid-scattered-spider-collaboration/
[3] https://www.theregister.com/2025/08/12/scattered_spidershinyhunterslapsus_cybercrime_collab/
[4] https://www.reddit.com/r/PandoraCollectors/comments/1mi5646/comment/n71x0k3/