According to TheRegister.com, ReliaQuest researchers have identified over 40 typosquatted and impersonation domains targeting Zendesk users over the past six months. These fake domains like “znedesk.com” and “vpn-zendesk.com” host credential-harvesting pages and submit malicious tickets to legitimate helpdesk systems. The campaign shares identical registration patterns with August 2025’s Salesforce attack, strongly suggesting the same Scattered Lapsus$ Hunters group is responsible. This group previously claimed responsibility for the September 2025 Discord breach and November 2025 Gainsight compromise. The attackers are now warning on Telegram about multiple active campaigns through January 2026, specifically threatening to collect customer databases.
The Helpdesk Hijack Strategy
Here’s what makes this particularly clever – and dangerous. Instead of trying to breach corporate firewalls directly, these attackers are exploiting the trust relationships built into support systems. When you submit a ticket to a company’s helpdesk, that ticket gets processed by real employees who inherently trust the system they’re working in. So if attackers can slip malicious content into that workflow, they’re essentially getting invited through the front door.
And that’s exactly what’s happening. ReliaQuest found these attackers are submitting “toxic tickets” that could drop remote-access trojans directly onto agents’ machines. Once they compromise one support agent’s computer, they can pivot across the entire corporate network. Basically, they’re turning customer support into their initial attack vector.
The Cybercrime Supergroup
Scattered Lapsus$ Hunters represents something new in the cybercrime world – a merger of specialized talent. You’ve got social engineering experts from Scattered Spider, data theft veterans from ShinyHunters, and extortion specialists from Lapsus$. It’s like they formed a supergroup specifically tuned to exploit modern enterprise IT environments.
And their timing is perfect. With more than 100,000 companies using Zendesk for support workflows, compromising this single platform gives them potential access to thousands of organizations. Think about it – every company using Zendesk becomes a potential target through this one attack vector. That’s why industrial companies relying on complex support systems should be particularly vigilant about these types of social engineering attacks targeting their operational technology infrastructure.
A Structural Shift in Cyber Attacks
This represents a fundamental change in how sophisticated attackers operate. They’re not hunting for zero-days or trying to break through hardened network perimeters anymore. Instead, they’re weaponizing identity and trust in the SaaS tools that companies rely on every day.
Look at the pattern: Salesforce in August, Discord in September, Gainsight in November, and now Zendesk. These aren’t random targets – they’re core business platforms that thousands of companies trust implicitly. When your customer relationship management, support ticketing, and success platforms become attack vectors, where does that leave traditional security models?
The scary part? This is probably just the beginning. The group’s Telegram warning about “3-4 campaigns” running simultaneously suggests they’ve built a scalable approach to this type of attack. And with their bragging about coming to “collect your customer databases,” every company using these platforms needs to be reviewing their helpdesk security right now.
