Zendesk users targeted by Scattered Lapsus$ Hunters hackers and fake support sites

1. Pro
2. Security

Zendesk users targeted by Scattered Lapsus$ Hunters hackers and fake support sites News By Sead Fadilpašić published 28 November 2025

There's more to the Salesforce attacks than meets the eye

Comments (0) ()

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

(Image credit: Forcepint)

• Hackers targeting Zendesk users with typosquatted domains to steal credentials
• ReliaQuest found 40+ spoofed domains, linked to Salesforce campaign similarities
• Attackers submit fake Zendesk tickets to spread malware and steal support staff access

The notorious Scattered Lapsus$ Hunters gang, which famously targeted Salesforce users, is now targeting Zendesk users as well to try and steal login credentials and gain access to their sensitive information, experts have warned.

Security researchers from ReliaQuest claim over the last six months, more than 40 typosquatted domains were registered spoofing Zendesk. In some instances, the domains contained brand names (for example businessname-zendesk[dot]com), and in other cases, they were relatively generic (vpn-zendesk[dot]com, for example).

• Amazon Black Friday deals are live: here are our picks!

All of the domains ReliaQuest found were registered through NiceNic, with either UK or US registrant information (likely stolen in earlier breaches) and Cloudflare-masked nameservers.

You may like

• Domains used by notorious hacking group ShinyHunters for Salesforce hacks disrupted in FBI takedown
• Salesforce platforms are being cracked open for data theft - FBI warns of UNC6040 and UNC6395 IOCs
• Google security experts say Gainsight hacks may have left hundreds of companies affected

Also attacking Discord?

The researchers found the campaign while investigating the 2024 Salesforce incident, noting, “The domains we uncovered while investigating the August campaign shared similarities with the Zendesk domains: formatting, registry characteristics, and the use of deceptive SSO portals.”

If this information is true, it would mean the Scattered Lapsus$ Hunters (SLH) group kept busy over the summer.

The researchers also said they saw the hackers trying to infect businesses with malware by submitting their own tickets to Zendesk portals.

“These fake submissions are crafted to target support and help-desk personnel, infecting them with remote access trojans (RATs) and other types of malware,” it was said in the report.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

“Targeting help-desk teams with these kinds of tactics often involves well-crafted pretexts, like urgent system administration requests or fake password reset inquiries. The goal is to trick support staff into handing over credentials or compromising their endpoints.”

Some publications are linking this campaign to the recent Discord incident. In October, the popular communications platform said its Zendesk account was breached, and sensitive data such as billing information, ID numbers, and email addresses stolen. However, SLH denied any involvement. According to SOCRadar, the group said in its Telegram channel that it had nothing to do with this attack:

“We never took credit for the Discord Zendesk compromise. We actually did pop their Okta at the same time … vxunderground believed we were behind the Zendesk compromise. We never corrected him because it was hilarious and we know the truth would come out.”

Via Infosecurity Magazine

The best antivirus for all budgetsOur top picks, based on real-world testing and comparisons

➡️ Read our full guide to the best antivirus1. Best overall:Bitdefender Total Security2. Best for families:Norton 360 with LifeLock3. Best for mobile:McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead FadilpašićSocial Links Navigation

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Logout Read more Domains used by notorious hacking group ShinyHunters for Salesforce hacks disrupted in FBI takedown    Salesforce platforms are being cracked open for data theft - FBI warns of UNC6040 and UNC6395 IOCs    Google security experts say Gainsight hacks may have left hundreds of companies affected    Three of the biggest cybercrime gangs around appear to be teaming up - which could be bad news for all of us    Fake Facebook Business pages are bombarding users with phishing messages - so what can be done?    Hackers are using fake Zoom or Microsoft Teams invites to spy on all your workplace activity    Latest in Security Multiple London councils affected by apparent cyberattack    Malicious Blender model files deliver StealC infostealing malware    Popular JavaScript library can be hacked to allow attackers into user accounts    Maybe don't trust every Windows Update without checking - hackers hijack images to spread dangerous malware    This devious botnet tried a trial run during the recent AWS outage - so when will it be back?    Asus warns of new security flaw affecting AiCloud routers - here's what we know    Latest in News Europe tops the charts in digital security – but the UK might be quickly falling behind, says Surfshark    This cheap, compact projector can turn your wall into a giant whiteboard    Avengers: Doomsday's first trailer might be released earlier than predicted – here's why Marvel fans are getting so excited    Zendesk users targeted by Scattered Lapsus$ Hunters hackers and fake support sites    Perplexity AI’s new clothes try-on tool takes on Google – I tested it and I'm starting to get addicted to virtual dressing up    Feeling homesick? Proton’s Black Friday VPN deal is perfect for UK-based expats    LATEST ARTICLES

1. 1Europe tops the charts in digital security – but the UK might be quickly falling behind, says Surfshark
2. 2Still having iOS 26 battery life problems? Try these 5 fixes to improve it
3. 3I compared NordVPN's Basic and Plus plans, and this is the Black Friday deal that's worth going for
4. 4Zootopia 2 isn't on Disney+ yet – stream this 'prequel' while you wait
5. 5This cheap, compact projector can turn your wall into a giant whiteboard