Scattered Lapsus$ Hunters Launch Typosquatting Attack Targeting Zendesk Users

Listen to this Post

Featured Image
Customer support platforms are increasingly becoming prime targets for cybercriminals, and the latest findings from ReliaQuest highlight just how sophisticated these threats have become. Over the past six months, a coordinated campaign attributed to the threat group “Scattered Lapsus$ Hunters” has deployed more than 40 typosquatted domains impersonating Zendesk environments. These fake domains are designed to steal sensitive credentials from unsuspecting users, signaling a worrying expansion in supply-chain attacks on SaaS platforms.

Typosquatting Attack Details

ReliaQuest researchers discovered multiple fraudulent domains, including znedesk[.]com and vpn-zendesk[.]com, deliberately crafted to resemble legitimate Zendesk URLs. Many of these sites host phishing pages and counterfeit single sign-on (SSO) portals. The attackers often combine corporate names with Zendesk branding, making the sites appear authentic enough to trick users into entering passwords, email addresses, and other sensitive data.

Technical analysis revealed consistent patterns across the domains: registration through NiceNic, US and UK contact information, and Cloudflare-masked nameservers. These characteristics match those observed in a prior Salesforce-focused campaign in August 2025, reinforcing the link to Scattered Lapsus$ Hunters.

Expanding Supply-Chain Attack Strategy

The campaign is indicative of a larger strategic approach, targeting widely used enterprise SaaS platforms. Previous attacks on Salesforce, Salesloft, Drift, and Gainsight show a clear pattern: customer support and CRM systems are high-value targets due to the sensitive data they handle.

Attackers submit fraudulent tickets to legitimate Zendesk help desks, embedding links or attachments containing remote access trojans (RATs) and other malware. Once inside, they can move laterally within networks, escalating privileges and exfiltrating valuable information.

Telegram communications from November 2025 reveal the group is planning “3–4 operations” through early 2026, suggesting this Zendesk campaign is part of multiple concurrent attacks targeting SaaS supply chains.

Defensive Recommendations

ReliaQuest stresses treating customer support platforms as critical infrastructure. Recommended defensive measures include:

Enforcing multifactor authentication with hardware tokens.

Implementing IP allowlisting and session timeouts for administrative accounts.

Monitoring DNS records for newly registered domains that mimic Zendesk or internal naming conventions.

Deploying digital risk protection (DRP) tools to detect typosquatted domains early.

Utilizing automated response playbooks to terminate sessions, deactivate compromised accounts, and scan affected hosts.

The campaign highlights the growing sophistication of attacks on customer support systems and underscores the need for proactive defenses against social engineering and multi-vector threats.

What Undercode Say:

The Scattered Lapsus$ Hunters campaign represents a shift in cybercriminal focus toward SaaS supply chains. Traditionally, attackers targeted endpoints or email phishing; now, platforms like Zendesk act as high-value gateways into enterprise networks. By exploiting trusted customer service channels, threat actors can bypass perimeter defenses, as employees are conditioned to trust help desk interactions.

This campaign also illustrates the power of typosquatting as a low-cost, high-return tactic. By creating domains visually similar to legitimate platforms, attackers increase the likelihood of credential theft without needing sophisticated exploits. The consistent use of NiceNic registration, Cloudflare masking, and US/UK contact details shows operational maturity and suggests that these are not opportunistic actors but organized threat groups with clear methodology.

From an enterprise perspective, the lateral movement enabled by these attacks is critical. Customer support staff often have access to sensitive corporate data, including internal documentation and client information. Once compromised, attackers can pivot into other internal systems, compromising accounts and potentially stealing intellectual property or financial data.

Monitoring typosquatted domains and implementing DRP solutions is no longer optional. Automated defenses, combined with employee training on phishing awareness, are crucial. Organizations that ignore these signals risk becoming collateral damage in larger supply-chain campaigns.

Looking forward, the repeated targeting of SaaS platforms suggests that threat actors see long-term profitability in compromising support systems. Each incident provides data to refine social engineering tactics and enhance malware deployment. Enterprises must adopt a proactive security posture, treating platforms like Zendesk as critical infrastructure rather than auxiliary tools.

The campaign also raises questions about regulatory preparedness. Many SaaS providers offer robust security, but their clients’ configuration and monitoring practices vary widely. This gap creates opportunities for attackers to exploit weakly protected environments. Collaboration between vendors and customers to enforce stricter authentication, DNS monitoring, and incident response protocols will be key in mitigating these threats.

Social engineering, typosquatting, and lateral movement are becoming a combined playbook for cybercriminals. By analyzing this campaign, security teams can anticipate that similar attacks may soon target other widely used SaaS platforms. Early adoption of automated detection, continuous risk monitoring, and incident response playbooks will likely define enterprise resilience in 2026 and beyond.

🔍 Fact Checker Results

✅ More than 40 typosquatted domains targeting Zendesk were identified.
✅ Campaign linked to Scattered Lapsus$ Hunters with prior Salesforce attacks.
❌ No evidence suggests Zendesk itself was compromised; attack targets users.

📊 Prediction

The next wave of attacks will likely expand to other SaaS platforms beyond Zendesk and Salesforce. Expect coordinated campaigns targeting widely used tools like HubSpot, Freshdesk, and ServiceNow. Enterprises that fail to implement proactive domain monitoring and multifactor authentication will remain the most vulnerable. Social engineering and typosquatting will continue to be preferred tactics, with potential escalation into automated malware deployment. Organizations adopting DRP tools and continuous employee training may see a significant reduction in successful breaches.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.pinterest.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon