The Rising Threat of Scattered Lapsus$ Hunters: Targeting Zendesk Users
Understanding the Threat Landscape
Cybersecurity is an ever-evolving domain, and the notorious group known as Scattered Lapsus$ Hunters is at the forefront of recent hacking concerns. While opinions about these hackers vary—some deeming them a significant threat and others viewing them as overindulged tech enthusiasts—their readiness for another hacking spree is unmistakable. Reports indicate that they may be gearing up to target customers of the Zendesk customer support platform, raising alarms across the cybersecurity community.
Evidence of a New Campaign
ReliaQuest, a prominent cybersecurity firm, has gathered compelling evidence to support this theory. Their research unveiled a host of malicious domains associated with Zendesk, which have been strategically designed to deceive unsuspecting users. The discovery of these fake domains coincided with increasingly suspicious conversations on various messaging platforms frequented by the group. In November, one member hinted at plans to execute 3-4 campaigns, suggesting an organized effort that could extend into 2026.
Subscribers of these messaging channels are advised to remain vigilant. A recent message warned, “All the incident response folks should be prepared to monitor their logs during the upcoming holidays till January 2026, as #ShinyHuntazz is coming to collect your customer databases.”
Analyzing the Malicious Domains
The research by ReliaQuest pinpointed over 40 fraudulent domains that not only mimic the Zendesk branding but also host phishing content under the guise of legitimacy. These domains were all registered through a single entity, NiceNic, and feature contact information pointing to the US or UK, enhancing their deceptive nature. Moreover, they’re all hosted on Cloudflare-masked nameservers, which adds another layer of obscurity designed to mislead investigators.
The research team emphasized that these fraudulent elements bear striking similarities to previous Scattered Lapsus$ Hunters campaigns, particularly one targeting Salesforce back in August 2025. The attributes of the Zendesk-related domains, such as their format and registration specifics, echo the patterns identified in the earlier attack.
Ongoing Cyber Attacks on Zendesk
ReliaQuest’s investigation has uncovered even more alarming details. Reports suggest that malicious tickets crafted to deploy remote access Trojans are already being submitted through legitimate Zendesk portals. This indicates a well-orchestrated “stealthy, highly targeted” hacking initiative that may well have already begun to unfold.
The group’s fingers may be deeper in the pie than suspected. The failure of Discord’s support system, which relies on Zendesk, saw a breach that affected an alarming number of users. In September, Discord informed around 70,000 customers that their personal data had been compromised as a result of this breach.
The Scale of the Breach
Even more concerning estimates from malware researcher vx-underground suggest the actual number of users affected could be far greater—potentially exceeding 2 million. According to their analysis, the hackers reportedly acquired an impressive stash of age verification-related photos, including driver’s licenses and passports totaling approximately 1.5TB of data. This level of compromise raises significant concerns regarding privacy and data security.
In a striking revelation, vx-underground claimed, “Discord is being extorted by the people who compromised their Zendesk instance,” adding urgency to the situation. The sheer volume of malicious activity indicates that the Scattered Lapsus$ Hunters are not merely content with chaos; they are actively seeking to exploit and monetize their breaches.
The Loose Structure of Scattered Lapsus$ Hunters
One of the unique characteristics of the Scattered Lapsus$ Hunters is their unstructured composition. This collective is believed to be a merger of several loosely affiliated hacking groups, including ShinyHunters, Lapsus$, and Scattered Spider. This disorganization complicates efforts to attribute specific actions or attacks to them definitively, making them a more unpredictable threat.
Future Implications for Cybersecurity
Looking ahead, experts at ReliaQuest anticipate that the Scattered Lapsus$ Hunters, or similar groups, will likely continue targeting platforms like Zendesk and other customer support systems. These channels often remain under the radar compared to more scrutinized entry points, such as email traffic, making them especially appealing targets for cybercriminals.
As organizations grow increasingly reliant on customer service platforms, understanding and addressing these threats becomes more vital than ever. It’s essential to maintain vigilance and implement robust security measures to safeguard against the rising tide of cyber-incidents—especially during peak times when attacks are most likely to occur.
