A cluster of more than 40 newly registered domains mimicking Zendesk environments has appeared over the past six months, indicating a likely campaign linked to the threat collective known as Scattered Lapsus$ Hunters.
The domains, discovered by ReliaQuest, closely resembled legitimate Zendesk URLs (often using small character substitutions or brand-specific naming) to lure victims into credential-harvesting pages.
Investigators found that several of these sites hosted fake single sign-on pages designed to intercept usernames, passwords, and Multi-Factor Authentication (MFA) tokens. Other domains embedded multiple unrelated brand names within a single URL, a tactic that increased the likelihood of users trusting the links.
The infrastructure shared common characteristics, including registration through NiceNic, US and UK contact details, and Cloudflare-masked nameservers.
ReliaQuest noted that these traits mirrored domains observed in the group’s August 2025 campaign against Salesforce.
Analysts also identified indications that attackers were submitting fraudulent tickets to legitimate Zendesk portals, attempting to compromise help-desk personnel with remote access trojans. These tickets often used urgent operational pretexts, such as fake password resets, to pressure support teams into opening malicious attachments.
Indicators of a Broader SaaS-Targeting Strategy
The Zendesk activity followed earlier incidents attributed to the collective, including the September 2025 breach of Discord’s Zendesk-based support system and the November 2025 compromise of Gainsight.
Telegram posts from the group suggested it was running multiple concurrent campaigns and expected continued activity through early 2026.
ReliaQuest stated that the findings highlighted broader risks facing widely deployed Software-as-a-Service (SaaS) platforms.
“Scattered Lapsus$ Hunters’ multipronged approach—combining external phishing domains with internal ticket injection—makes it clear that customer support platforms are now a critical part of the attack surface,” the researchers said.
The firm recommended treating customer support systems as critical infrastructure and implementing controls such as MFA, proactive domain monitoring, DNS filtering and access rules to prevent unauthorized access of administrative and support accounts.
