Scattered Lapsus$ Actors Register Over 40 Zendesk-Impersonating Domains

ReliaQuest researchers have uncovered a new campaign believed to be linked to the threat group “Scattered Lapsus$ Hunters,” involving more than 40 typosquatted domains that impersonate legitimate Zendesk environments.

The fake domains, registered over the past six months, include znedesk[.]com and vpn-zendesk[.]com, which closely resemble authentic Zendesk URLs.

Many of these sites host phishing pages and counterfeit single sign-on (SSO) portals designed to steal login credentials from unsuspecting users.

Several domains also blend corporate names with Zendesk branding to appear more authentic, tricking victims into entering sensitive information.

ReliaQuest noted consistent technical traits across the domains, including registration through NiceNic, US and UK contact information, and Cloudflare-masked nameservers.

These details closely match those from an earlier campaign that targeted Salesforce in August 2025, strengthening the attribution to Scattered Lapsus$ Hunters.

Expanding Supply-Chain Attack Strategy

The findings suggest a broader campaign by Scattered Lapsus$ Hunters to exploit customer support and SaaS platforms.

Recent activity mirrors previous attacks on the Salesforce, Salesloft, Drift, and Gainsight platforms, which are widely used across enterprises to manage customer data and service operations.

According to ReliaQuest, the malicious actors are likely submitting fraudulent tickets to legitimate Zendesk-based help desks.

These fake support requests contain links or attachments leading to remote access trojans (RATs) and other malware, potentially compromising IT or customer service staff. Once inside, the attackers can move laterally within the network to steal data or escalate privileges.

The group’s Telegram messages from November 2025 hinted at multiple ongoing campaigns, referencing “3–4 operations” planned through early 2026. This suggests the Zendesk activity could be one of several parallel efforts targeting SaaS supply chains.

Defensive Recommendations

ReliaQuest emphasized the need to treat customer support platforms, such as Zendesk, as critical infrastructure.

The firm recommends enforcing multifactor authentication with hardware tokens, IP allowlisting, and session timeouts for all administrative accounts.

Organizations should also monitor DNS records for new domain registrations mimicking Zendesk or internal naming conventions.

Using digital risk protection (DRP) tools, such as ReliaQuest’s GreyMatter platform, can provide early alerts on typosquatted domains, enabling faster blocking actions.

Detection rules and automated response playbooks, such as terminating sessions, deactivating compromised accounts, and scanning affected hosts, can further reduce attacker dwell time after phishing or credential compromise.

The Scattered Lapsus$ Hunters campaign underscores that customer support platforms are now a high-value target.

Security teams must closely monitor these systems and prepare for increasingly sophisticated social engineering and multi-vector threats as 2026 approaches.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Scattered Lapsus$ Actors Register Over 40 Zendesk-Impersonating Domains appeared first on Cyber Security News.