Ethical Hacking News
Scattered Lapsus$, a notorious cybercrime group, has launched a fresh wave of phishing domains and malicious helpdesk tickets targeting Zendesk users, exploiting the trust that users have in SaaS tooling. With over 100,000 companies using Zendesk for internal and external support workflows, the potential impact of this attack could be devastating.
The cybersecurity researchers at ReliaQuest have uncovered a fresh wave of phishing domains and malicious helpdesk tickets targeting Zendesk users. The attack is part of the modus operandi of Scattered Lapsus$, a notorious cybercrime group known for its audacious tactics. The attackers are using techniques similar to those employed by Scattered Lapsus$ in its previous campaign against Salesforce, targeting customer relationship management platforms and using helpdesk infrastructure as a pivot point. The potential impact of a successful breach could be devastating, with over 100,000 companies using Zendesk for internal and external support workflows. Security experts are urging organizations to exercise caution when using SaaS tools and to regularly monitor their helpdesk infrastructure for signs of malicious activity.
In a disturbing development, cybersecurity researchers at ReliaQuest have uncovered a fresh wave of phishing domains and malicious helpdesk tickets targeting Zendesk users. This new extortion campaign is the latest in a series of attacks by Scattered Lapsus$, a notorious cybercrime group known for its audacious tactics. The group's modus operandi has shifted from traditional hacking and network exploitation to weaponizing identity and trust in Software as a Service (SaaS) tooling, leaving security experts scrambling to respond.
The latest attack, which began six months ago, involves the creation of over 40 typosquatted and impersonation domains designed to mirror Zendesk's portals. These domains are used to harvest credentials, submit fraudulent tickets to helpdesk staff, or host fake single sign-on (SSO) pages aimed at compromising user data. The attackers' tactics appear to be a deliberate attempt to exploit the trust that users have in Zendesk, using techniques similar to those employed by Scattered Lapsus$ in its previous campaign against Salesforce.
Scattered Lapsus$, a coalition of previously separate outfits, has been making headlines this year with a major campaign against Salesforce. In October, the group launched a dark web leak site claiming data theft from dozens of Salesforce customers, threatening to publish their data unless ransom demands were met. This latest attack on Zendesk users appears to be part of the same modus operandi, with the attackers targeting customer relationship management platforms and using helpdesk infrastructure as a pivot point for targeted intrusions.
According to ReliaQuest's threat researchers, the attackers are chaining support interface impersonation with targeted intrusions, submitting malicious tickets to legitimate Zendesk portals operated by real organizations. This could potentially result in the deployment of remote-access trojans (RATs) directly onto agents' machines, allowing the attackers to pivot across corporate networks and quietly loot intellectual property or sensitive data.
The discovery of these phishing domains and malicious helpdesk tickets highlights a structural shift in modern cybercrime. Rather than hacking networks directly or exploiting zero-days, cybercriminals are now weaponizing identity and trust in SaaS tooling. Scattered Lapsus$ is a prime example of this trend, using its expertise in social engineering and data theft to launch targeted attacks on corporate infrastructure.
The implications of this attack are far-reaching. With over 100,000 companies using Zendesk for internal and external support workflows, the potential impact of a successful breach could be devastating. As one security expert noted, "Compromise that [Zendesk], and you may own the front door to thousands of firms." The fact that Scattered Lapsus$ has already made headlines this year with a major campaign against Salesforce suggests that the group is likely doubling down on support platforms as part of its attack strategy.
In response to this threat, security experts are urging organizations to exercise caution when using SaaS tools and to regularly monitor their helpdesk infrastructure for signs of malicious activity. Additionally, users are advised to be vigilant when interacting with support interfaces and to avoid providing sensitive information without verifying the authenticity of the request.
As the cybersecurity landscape continues to evolve, it is clear that Scattered Lapsus$ and other cybercrime groups will continue to find new ways to exploit vulnerabilities in SaaS tooling. Organizations must remain vigilant and proactive in their defense strategies to prevent falling prey to these types of attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Scattered-Lapsus-Hunters-Latest-Extortion-Campaign-Targets-Zendesk-Users-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/11/27/scattered_lapsus_hunters_zendesk/
https://www.infosecurity-magazine.com/news/scattered-lapsus-hunters-zendesk/
https://reliaquest.com/blog/zendesk-scattered-lapsus-hunters-latest-target/
https://www.picussecurity.com/resource/blog/scattered-lapsus-hunters-2025s-most-dangerous-cybercrime-supergroup
https://www.esecurityplanet.com/threats/news-scattered-lapsus-hacking-group/
Published: Thu Nov 27 10:47:46 2025 by llama3.2 3B Q4_K_M
