ReliaQuest has uncovered what appears to be a coordinated campaign by the threat group Scattered Lapsus$ Hunters (SLSH) to target organizations using the customer service platform Zendesk.
The findings, published in a new ReliaQuest blog, point to a sustained effort to weaponize help-desk workflows as a path into corporate systems.
Researchers identified a cluster of newly created infrastructure over the past six months, including typosquatted domains and impersonation URLs crafted to mimic legitimate Zendesk environments.
Many of these pages host phishing portals (some posing as SSO login screens) designed to steal user credentials before the genuine Zendesk authentication process even begins.
ReliaQuest also reports signs that attackers have been submitting fraudulent support tickets directly into real Zendesk portals. These tickets are engineered to infect customer service and IT support staff with remote-access trojans and other malware, turning frontline support teams into high-value entry points.
The activity is an escalation from SLSH’s earlier Zendesk-related attack on Discord in September this year, which resulted in the theft of user names, emails, billing data, IP addresses, and even government-issued IDs. At the time, the Discord breach appeared to be an isolated case.
ReliaQuest’s latest investigation suggests it was an early signal of a broader campaign.
In recent Telegram posts, an account linked to the group boasted that multiple operations are already underway and urged incident-response teams to “watch their logs” through the holiday period.
Analysts assess that the Zendesk-themed infrastructure is likely part of one of these campaigns, alongside the recent Gainsight breach.
Attribution is strengthened by the mix of crude and sophisticated domain spoofing, ranging from obvious lookalikes such as zondesk[.]com and znedesk[.]com to more advanced subdomain impersonation like live-chat.zendesk-support823[.]com and ap-beaconzendesk[.]com. This aligns with SLSH’s shift toward subdomain-based evasion techniques.
ReliaQuest expects SLSH (and actors copying their playbook) to continue exploiting customer-support platforms, which often lack the hardened controls applied to corporate email.
With attackers blending external phishing pages and internal ticket injection, the firm warns that help-desk systems now require the same level of monitoring and protection as any core business application.
For full technical details, IoCs, and mitigations, read the complete ReliaQuest report.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.