Zendesk Users Targeted as Scattered Lapsus$ Hunters Launch Fake Support Sites

Zendesk Users Targeted as Scattered Lapsus$ Hunters Launch Fake Support Sites Source: www.theregister.com/2025/11/2… ReliaQuest has uncovered an emerging extortion campaign aimed at Zendesk customers, attributed to the Scattered Lapsus$ Hunters group. The operation uses newly created phishing domains and fraudulent helpdesk tickets to harvest credentials and engage support teams. Researchers identified more than forty typosquatted or impersonation domains over the past six months, including variants such as znedesk.com and vpn-zendesk.com. Some host fake single sign-on pages, while others are used to insert fraudulent tickets into Zendesk workflows. The domains share consistent traits: the same registrar (NiceNic), U.S. or U.K. contact details, and Cloudflare-masked nameservers. The infrastructure closely mirrors a previous impersonation campaign against Salesforce, leading analysts to suspect the same threat group is responsible. The activity highlights a broader shift among cybercriminals. Rather than exploiting zero-days or breaching networks directly, attackers are increasingly weaponizing identity, brand impersonation, and trust in SaaS platforms. Scattered Lapsus$ Hunters comprise members from several well-known groups, including social engineering actors from Scattered Spider, data-theft operators from ShinyHunters, and extortion specialists from Lapsus$, forming a combined crew optimized for modern enterprise environments.