Zendesk users targeted as Scattered Lapsus$ Hunters spin up fake support sites

Scattered Lapsus$ Hunters may be circling Zendesk users for its latest extortion campaign, with new phishing domains and weaponized helpdesk tickets uncovered by ReliaQuest.

Researchers say they found more than 40 typosquatted and impersonation domains – names like "znedesk.com" or "vpn-zendesk.com" – designed to mirror Zendesk's portals over the past six months. Some host fake single sign-on (SSO) pages aimed at harvesting credentials, while others are used to submit fraudulent tickets to helpdesk staff.

All share common registration hallmarks – the same registrar (NiceNic), US or UK contact details, and Cloudflare-masked nameservers – a profile almost identical to that of a previous impersonation campaign targeting Salesforce. That similarity leads security watchers to suspect the same criminal crew is behind both schemes: the "retired" Scattered Lapsus$ Hunters crew.

"These elements are reminiscent of the recent Scattered Lapsus$ Hunters campaign that targeted customer relationship management platform Salesforce in August 2025," ReliaQuest's threat ...