Ethical Hacking News
Scattered LAPSUS$ Hunters (SLH), a notorious cybercrime collective, has been observed offering financial incentives to recruit women for voice phishing campaigns targeting IT help desks. With payouts ranging from $500 to $1,000 per call, this is a calculated evolution in the group's tactics. Learn more about how organizations can protect themselves from these types of attacks and stay ahead of evolving threat landscapes.
Scattered LAPSUS$ Hunters (SLH) has been using advanced social engineering attacks to breach companies. The group recruits women to conduct voice phishing campaigns targeting IT help desks, offering financial incentives of $500-$1,000 per call. SLH's modus operandi involves posing as employees and convincing IT staff to reset passwords or install remote monitoring and management tools for remote access. The group uses legitimate services and residential proxy networks to blend in and evade detection. SLH demonstrates high social engineering expertise by impersonating employees to attempt password resets and MFA attempts. Organizations should be alert to pre-written scripts, polished voice impersonation, and enforce strict identity verification, MFA policies, and log auditing.
The threat landscape has witnessed a significant evolution in recent times, as cybercrime groups continue to diversify their tactics and adapt to the changing security environment. One such group that has garnered attention from cybersecurity experts is Scattered LAPSUS$ Hunters (SLH), a notorious collective known for its advanced social engineering attacks. In this article, we will delve into the details of SLH's latest strategy, which involves recruiting women to conduct voice phishing campaigns targeting IT help desks.
According to a recent threat brief by Dataminr, SLH has been offering financial incentives to recruit women for these vishing attacks, with payouts ranging from $500 to $1,000 per call. This is a calculated evolution in the group's tactics, as they aim to bypass traditional profiles of attackers that IT help desk staff may be trained to identify.
The group's modus operandi involves targeting help desks and call centers to breach companies by posing as employees and convincing them to reset a password or install a remote monitoring and management (RMM) tool that grants them remote access. Once initial access is obtained, SLH actors move laterally to virtualized environments, escalating privileges, and exfiltrating sensitive corporate data.
One of the hallmark features of these attacks is the use of legitimate services and residential proxy networks to blend in and evade detection. Scattered Spider actors have also been observed using various tunneling tools like Ngrok, Teleport, and Pinggy, as well as free file-sharing services such as file.io, gofile.io, mega.nz, and transfer.sh.
The group's proficiency in exploiting human psychology is a notable aspect of its tactics. By impersonating employees to attempt password and multi-factor authentication (MFA) resets, Scattered Spider actors have demonstrated a high level of social engineering expertise. In one case investigated by Palo Alto Networks Unit 42, the group created and utilized a virtual machine after obtaining privileged credentials by calling the IT help desk, using it to conduct reconnaissance and attempt to exfiltrate Outlook mailbox files and data downloaded from the target's Snowflake database.
The recruitment drive represents a calculated evolution in SLH's tactics, as they aim to bypass traditional profiles of attackers that IT help desk staff may be trained to identify. By specifically seeking female voices, the group likely aims to increase the effectiveness of their impersonation efforts.
To combat this evolving threat landscape, organizations are advised to be on alert and train IT help desk and support personnel to watch out for pre-written scripts and polished voice impersonation. Enforcing strict identity verification, hardening MFA policies by shifting away from SMS-based authentication, and auditing logs for new user creation or administrative privilege escalation following help desk interactions can also help mitigate the risk of these attacks.
In conclusion, the evolution of social engineering tactics by Scattered LAPSUS$ Hunters (SLH) highlights the importance of staying vigilant in today's threat landscape. By understanding the group's tactics and adapting to their evolving strategies, organizations can take proactive steps to protect themselves from these types of attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Evolution-of-Social-Engineering-Scattered-LAPSUS-Hunters-SLH-Recruits-Female-Voices-for-IT-Help-Desk-Vishing-Attacks-ehn.shtml
https://thehackernews.com/2026/02/slh-offers-5001000-per-call-to-recruit.html
https://www.dataminr.com/resources/intel-brief/slh-recruiting-women-for-vishing/
Published: Wed Feb 25 10:45:07 2026 by llama3.2 3B Q4_K_M
