Key Points:
ReliaQuest uncovered more than 40 typosquatted and impersonating domains mimicking Zendesk environments, indicating a potential new campaign from the “Scattered Lapsus$ Hunters” threat collective.
Some of the domains are hosting phishing pages with fake single sign-on (SSO) portals designed to steal credentials and deceive users.
Fraudulent tickets are also likely being submitted to legitimate Zendesk portals, aiming to infect help-desk personnel with malware.
We anticipate continued abuse of customer support platforms like Zendesk; organizations should treat these platforms as critical infrastructure and implement robust security measures to counter multipronged attacks.
ReliaQuest has uncovered indications of a potential new campaign from the notorious threat collective “Scattered Lapsus$ Hunters,” this time targeting users of the customer support software Zendesk.
ReliaQuest’s Threat Research team identified Zendesk-related domains, including more than 40 typosquatted domains and impersonating URLs, created within the past six months. These domains, such as znedesk[.]com or vpn-zendesk[.]com, are clearly designed to mimic legitimate Zendesk environments. Some host phishing pages, like fake single sign-on (SSO) portals that appear before Zendesk authentication. It’s a classic tactic probably aimed at stealing credentials from unsuspecting users. We also identified Zendesk-related impersonating domains that contained multiple different organizations’ names or brands within the URL, making it even more likely that unsuspecting users would trust and click on these links.
As well as similar formats (such as organization-zendesk.com), the Zendesk-domains we identified shared several registry details:
Registration through NiceNic
US and UK registrant contact information
Cloudflare-masked nameservers
These elements are reminiscent of the recent Scattered Lapsus$ Hunters campaign that targeted customer relationship management platform Salesforce in August 2025. The domains we uncovered while investigating the August campaign shared similarities with the Zendesk domains: formatting, registry characteristics, and the use of deceptive SSO portals.
We also have evidence to suggest that fraudulent tickets are being submitted directly to legitimate Zendesk portals operated by organizations using the platform for customer service. These fake submissions are crafted to target support and help-desk personnel, infecting them with remote access trojans (RATs) and other types of malware.
Targeting help-desk teams with these kinds of tactics often involves well-crafted pretexts, like urgent system administration requests or fake password reset inquiries. The goal is to trick support staff into handing over credentials or compromising their endpoints.
It’s a stealthy, highly targeted approach that could have devastating consequences for organizations: Once attackers gain access, they can establish a foothold in the network, setting the stage for lateral movement, reconnaissance, and eventually a broader system compromise.
Indications of Larger Campaign
This campaign comes on the heels of a September 2025 attack on Discord, which was also attributed to Scattered Lapsus$ Hunters. In that incident, attackers breached Discord’s Zendesk-based support system, making off with a trove of sensitive user data, including names, email addresses, billing information, IP addresses, and even government-issued ID information. At the time, there was no indication that the Discord breach was part of a broader campaign against Zendesk; however, these latest findings suggest that it’s likely Scattered Lapsus$ Hunters could be doubling down on its supply-chain attack strategy.
The group itself has indicated this intention, as seen in a Telegram post made earlier this month. One message bragged: "Wait for 2026, we are running 3-4 campaigns atm [at the moment]" (see Figure 1). Another warned: "all the IR [incident response] people should be at work watching their logs during the upcoming holidays till January 2026 bcuz #ShinyHuntazz is coming to collect your customer databases."
![Figure 1: Scattered Lapsus$ Hunters Telegram post (source: hxxps://x[.]com/meowsevy/status/1985881848489095315) Image 1](https://resources.reliaquest.com/image/upload/c_limit,w_1000,h_1000,f_webp,q_auto/v1764182269/SS_Blog_Image_1_obushp.png)
Figure 1: Scattered Lapsus$ Hunters Telegram post (source: hxxps://x[.]com/meowsevy/status/1985881848489095315)
It’s likely that the Zendesk-related infrastructure we’ve uncovered is part of one of these campaigns. Scattered Lapsus$ Hunters claimed responsibility for a compromise of the customer success platform Gainsight in November 2025; it’s realistically possible that Zendesk is the second of these campaign targets promised on Telegram.
SaaS Attacks Becoming a Classic Playbook
If attributable to Scattered Lapsus$ Hunters, these developments would represent the latest iteration of a consistently effective supply-chain attack strategy. In addition to its targeting of Salesforce, the collective has also claimed responsibility for attacks against the sales lead integration Salesloft Drift in August 2025, followed by Gainsight just months later—each targeting high-value SaaS platforms with widespread organizational adoption and access to downstream customer data.
That said, it’s also a realistic possibility that the success of Zendesk targeting and similar supply-chain attacks has inspired copycat actors or splinter groups from Scattered Lapsus$ Hunters. We’ve seen this kind of pattern before, like with “Black Basta,” where successor groups kept using the same playbook even after law enforcement disrupted the original operation.
What’s Next?
Looking ahead, ReliaQuest expects Scattered Lapsus$ Hunters—or imitators—to keep abusing Zendesk and similar customer support platforms. These platforms often fly under the radar compared to more heavily monitored channels like inbound email traffic, making them an attractive target. To counter this, organizations should treat these platforms with the same level of security as their core infrastructure. Scattered Lapsus$ Hunters’ multipronged approach—combining external phishing domains with internal ticket injection—makes it clear that customer support platforms are now a critical part of the attack surface.
Step Up Your Defenses
ReliaQuest’s Approach
ReliaQuest empowers customer with advanced detection and response capabilities to identify and block threats related to the malicious domains outlined in this report. Implementing these capabilities will allow customers to respond effectively faster.
ReliaQuest GreyMatter DRP: Monitoring for Zendesk-impersonating domains is critical, as Scattered Lapsus$ Hunters likely registers these domains for short periods of time before deactivating or rotating into other fake domains. Fast detection and response are essential to prevent credential harvesting. GreyMatter Digital Risk Protection (DRP) provides early visibility into domain registrations that mimic your organization or Zendesk infrastructure. Enrolling in GreyMatter DRP will allow security teams to act decisively and block malicious domains before they can be weaponized in phishing attacks.
Detection Rules: ReliaQuest's tailored detection rules, built on the latest threat intelligence and research, help organizations identify suspicious activity resembling Scattered Lapsus$ Hunters’ tactics within their environment.
Organizations can reduce their mean time to contain (MTTC) threats to minutes and minimize the impact of social engineering campaigns by deploying detection rules alongside these corresponding GreyMatter Automated Response Playbooks:
Terminate Sessions and Reset Passwords: Immediately cut off attacker access to compromised accounts by ending active sessions and forcing credential resets. This is crucial when infostealers or suspicious MFA activity are detected, particularly following successful Zendesk credential compromise.
Initiate Host Scan: Initiate a comprehensive scan of affected endpoints following a successful phishing attack to identify signs of compromise, malware, or unauthorized changes. This enables rapid containment and remediation of compromised systems.
Disable User: Immediately disable compromised user or service accounts to block attacker movement after successful phishing or credential theft attempts, preventing lateral movement into core systems.
Your Action Plan
Require multifactor authentication (MFA) with hardware security keys, IP allowlisting, and session timeout policies for all Zendesk administrative and support accounts. Scattered Lapsus$ Hunters targets customer support platforms to harvest high-privilege credentials; restricting access vectors and enforcing continuous re-authentication during sensitive operations significantly raises the barrier for credential compromise and lateral movement.
Deploy proactive domain monitoring and DNS filtering to detect and block typosquatted Zendesk domains before they can be used in phishing campaigns. Use Digital Risk Protection to receive alerts when threat actors create domains impersonating your organization or Zendesk infrastructure, enabling rapid blocking and employee notification before credential harvesting attacks occur. Early detection of malicious domain registration patterns provides critical response time advantages.
Limit which employees can receive direct messages through Zendesk chat and implement content filtering to detect phishing links and credential-request patterns. Scattered Lapsus$ Hunters may use Zendesk's trusted chat function to distribute phishing links and social engineering pretexts; restricting this communication channel and monitoring for suspicious patterns can disrupt their primary attack delivery mechanism and reduce successful credential compromise incidents.
Note: ReliaQuest is communicating with and has shared its investigation findings with Zendesk.
