The Attack Infrastructure

ReliaQuest discovered over 40 typosquatted and impersonation domains designed to mirror Zendesk portals over the past six months. These domains use names like "znedesk.com" or "vpn-zendesk.com" to deceive users and helpdesk staff.

Some domains host fake single sign-on pages aimed at harvesting credentials. Others are used to submit fraudulent tickets to helpdesk staff at legitimate organisations. The malicious tickets can potentially deliver remote-access trojans directly onto agents' machines, providing attackers with footholds inside corporate networks for data theft and lateral movement.

All domains share common registration characteristics: the same registrar (NiceNic), US or UK contact details, and Cloudflare-masked nameservers. This profile closely resembles a previous impersonation campaign targeting Salesforce in August 2025, leading researchers to attribute both operations to the same criminal group.

Connection to Discord Breach

These findings provide context for the September 2025 Discord breach, which compromised Discord's Zendesk-based support system. Attackers lifted usernames, email addresses, billing details, IP logs, and government-issued IDs. Whilst initially treated as an isolated incident, ReliaQuest now assesses this breach was likely Scattered Lapsus$ Hunters' work.

The discovery of numerous impersonation domains and agent-targeted tickets suggests the group is intensifying focus on support platforms as part of their attack strategy.

The Threat Group's Boasts

The gang has been openly advertising their activities on Telegram. Earlier this month, they posted: "Wait for 2026, we are running 3-4 campaigns atm," and warned incident responders to monitor logs through January 2026 because "#ShinyHuntazz is coming to collect your customer databases."

ReliaQuest believes the Zendesk-related infrastructure uncovered is likely part of one of these promised campaigns. Scattered Lapsus$ Hunters claimed responsibility for compromising customer success platform Gainsight in November 2025, making Zendesk realistically possible as the second campaign target referenced on Telegram.

The Salesforce Precedent

Scattered Lapsus$ Hunters has already demonstrated capability for large-scale attacks against enterprise support platforms. In October, the group launched a dark web leak site claiming data theft from dozens of Salesforce customers. They claimed to have stolen up to a billion records and threatened publication unless ransom demands were met.

This Salesforce campaign established a blueprint that appears to be replicated against Zendesk: create impersonation domains, compromise support infrastructure, harvest credentials, exfiltrate data, and demand ransoms.

A Cybercrime Supergroup

Scattered Lapsus$ Hunters represents a coalition of previously separate threat groups: social engineering specialists from Scattered Spider, data theft veterans from ShinyHunters, and extortion-oriented operatives from Lapsus$. This merger creates what security researchers describe as a "supergroup" specifically tuned to exploit 2025 enterprise IT environments.

The coalition brings together complementary skills. Scattered Spider's social engineering expertise enables convincing impersonation of legitimate support channels. ShinyHunters' data theft capabilities allow efficient extraction of valuable information. Lapsus$'s extortion experience ensures effective monetisation through threats and ransom demands.

Why Helpdesk Infrastructure Matters

The group's focus on helpdesk infrastructure represents logical targeting. Zendesk serves over 100,000 companies for internal and external support workflows. Compromising Zendesk access potentially provides attackers with entry points to thousands of organisations simultaneously.

Support platforms occupy trusted positions within enterprise environments. Staff expect to receive and process tickets from external sources. This creates opportunities for malicious tickets containing embedded exploits or social engineering content to reach employees who may not scrutinise them with the same suspicion applied to external emails.

Additionally, support staff often possess elevated permissions necessary for assisting customers across multiple systems. Compromising support agent accounts can provide broader access than compromising typical user accounts.

The Structural Shift

This campaign reflects a broader evolution in cybercrime tactics. Rather than hacking networks directly or exploiting zero-day vulnerabilities, modern threat groups increasingly weaponise identity and trust in SaaS tooling.

Traditional perimeter defences prove less effective when attackers enter through legitimate channels like support systems. When malicious tickets arrive through official Zendesk portals, security tools designed to detect external threats may not trigger alerts for what appears to be normal business activity.

What Organisations Should Do

Scrutinise support tickets carefully. Train helpdesk staff to recognise potentially malicious tickets, particularly those containing links, attachments, or requests for actions outside normal workflows.

Verify unexpected communications. If support tickets request unusual actions or come from unfamiliar sources, verify through independent channels before proceeding.

Monitor for typosquatted domains. Organisations using Zendesk should watch for domains impersonating their support portals and report them promptly for takedown.

Implement robust authentication. Ensure support staff accounts use multi-factor authentication and follow least-privilege principles to limit damage if accounts are compromised.

Audit access logs. Review Zendesk access logs for unusual activity, particularly access from unexpected locations or at unusual times.

Educate staff about social engineering. Support staff face sophisticated social engineering from threat groups like Scattered Lapsus$ Hunters. Regular training on current tactics is essential.

Consider additional verification for sensitive actions. Implement out-of-band verification for high-risk actions requested through support tickets, such as password resets for privileged accounts.

The Broader Threat Landscape

Scattered Lapsus$ Hunters' campaigns against Salesforce, Gainsight, and now potentially Zendesk demonstrate how enterprise SaaS platforms have become prime targets for sophisticated threat groups. These platforms' widespread adoption and trusted position within business workflows create opportunities for attacks at scale.

The group's Telegram announcements suggest they're running multiple simultaneous campaigns and plan continued operations through 2026. Organisations using popular enterprise SaaS platforms should assume they may be targets and implement appropriate defences.

The coalition nature of Scattered Lapsus$ Hunters—bringing together specialists in social engineering, data theft, and extortion—represents a concerning trend toward professionalisation and specialisation in cybercrime. When threat groups combine complementary capabilities, they become significantly more effective than individual operators working independently.

Protect Your Organisation from SaaS Platform Attacks

At Altiatech, we help organisations defend against sophisticated threats targeting enterprise SaaS platforms and support infrastructure. Our cybersecurity services include security assessments, staff training on current threat tactics, and monitoring solutions that detect suspicious activity across your SaaS environment.

From implementing robust authentication controls to developing incident response capabilities for SaaS platform compromises, we provide the expertise needed to protect your organisation from evolving threats.

Get in touch:

📧 Email: innovate@altiatech.com
📞 Phone (UK): +44 (0)330 332 5482

Defend against SaaS threats. Protect your support infrastructure.