The Scattered Lapsus$ Hunters group may be targeting Zendesk users in a new campaign, after a fresh batch of phishing domains and malicious helpdesk tickets were discovered, according to ReliaQuest.
The threat intelligence firm said it found over 40 typosquatted Zendesk domains and URLs featuring different organizations’ names or brands (i.e., organization-zendesk.com) that were created over the past six months.
Some domains, like znedesk[.]com and vpn-zendesk[.]com, host phishing pages like Zendesk single sign-on (SSO) portals designed to harvest credentials.
All domains observed by ReliaQuest were registered through NiceNic and have US and UK registrant information and Cloudflare-masked nameservers.
“These elements are reminiscent of the recent Scattered Lapsus$ Hunters campaign that targeted customer relationship management platform Salesforce in August 2025,” ReliaQuest explained.
“The domains we uncovered while investigating the August campaign shared similarities with the Zendesk domains: formatting, registry characteristics, and the use of deceptive SSO portals.”
Read more on Scattered Lapsus$ Hunters: Scattered Lapsus$ Hunters Signal Shift in Tactics
The firm also claimed to have evidence that the threat group is submitting fraudulent tickets to Zendesk portals operated by clients of the SaaS customer service platform.
“These fake submissions are crafted to target support and help-desk personnel, infecting them with remote access trojans (RATs) and other types of malware,” it said.
“Targeting help-desk teams with these kinds of tactics often involves well-crafted pretexts, like urgent system administration requests or fake password reset inquiries. The goal is to trick support staff into handing over credentials or compromising their endpoints.”
Discord the First to Fall?
The campaign may already have its first victim, after Discord revealed a breach via a third-party customer service provider last month. Threat actors compromised its Zendesk-based support system, stealing user data including names, email addresses, billing information, IP addresses and government-issued ID information, ReliaQuest said.
The attacks on Zendesk customers follow those targeting Salesforce, Salesloft Drift and Gainsight, described as “high-value SaaS platforms with widespread organizational adoption and access to downstream customer data” by Reliaquest.
However, the Zendesk campaign could also be the work of a copycat group, the company admitted.
The security vendor urged organizations to:
- Require multi-factor authentication (MFA) with hardware security keys, as well as IP allowlisting and session timeout policies for all Zendesk administrative and support accounts
- Conduct domain monitoring and DNS filtering to detect and block typosquatted Zendesk domains before they can be used in phishing campaigns
- Secure Zendesk chat by limiting which employees can receive direct messages through it, and deploying content filtering to spot phishing links and credential-request patterns
Image credit: Shaheerrr / Shutterstock.com
