Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Security researchers believe Qantas & Salesforce hackers could be in the middle of a campaign targeting users of the popular help desk platform.
Whether you think they’re one of the most dire cyber threats around today, or just a bunch of spoiled brats, the collective known as Scattered Lapsus$ Hunters may be tooling up for another widespread hacking campaign, this time targeting users of the Zendesk customer support platform.
Security researchers at ReliaQuest have put together a trail of clues supporting this hypothesis, from the creation of a whole stream of malicious Zendesk-related domains to chatter on the hacking group’s chaotic web of Telegram and other messaging channels.
"Wait for 2026, we are running 3-4 campaigns atm [at the moment]," one message, from early November, said.
"all the IR (incident response) people should be at work watching their logs during the upcoming holidays till January 2026 bcuz #ShinyHuntazz is coming to collect your customer databases,” said another, later message.
ReliaQuest observed more than 40 domains that mimic Zendesk branding, hosting phishing pages, or pages containing references to “multiple different organisations’ names or brands within the URL,” making the pages seem even more trustworthy. The malicious domains were also all registered through the one registry, NiceNic, all have US or UK-based contact information, and all are hosted on Cloudflare-masked nameservers.
“These elements are reminiscent of the recent Scattered Lapsus$ Hunters campaign that targeted customer relationship management platform Salesforce in August 2025,” ReliaQuest’s Threat Research Team said in a November 26 blog post.
“The domains we uncovered while investigating the August campaign shared similarities with the Zendesk domains: formatting, registry characteristics, and the use of deceptive SSO portals.”
According to ReliaQuest, fraudulent tickets designed to deploy remote access trojans are already being submitted to legitimate Zendesk portals, providing further evidence of a “stealthy, highly targeted” hacking campaign.
In fact, the campaign may have already begun, with Scattered Lapsus$ Hunters thought to be behind the breach of Discord’s Zendesk-based support system in September. The community messaging platform notified some 70,000 of its customers that their data had been compromised in the incident.
“This incident impacted a limited number of users who had communicated with our Customer Support or Trust & Safety teams,” Discord said in an 8 October update to its breach disclosure.
“Of the accounts impacted globally, we have identified approximately 70,000 users that may have had government ID photos exposed, which our vendor used to review age-related appeals.”
However, malware researcher vx-underground suggested the number of impacted Discord users could be more than two million.
“Discord is being extorted by the people who compromised their Zendesk instance,” vx-underground said in a post to X.
“They’ve got 1.5TB of age verification-related photos. 2,185,151 photos.
“tl;dr 2.1m Discord users’ driver’s license and/or passport might be leaked. Unknown number of e-mails.”
All that aside, the loose structure of the group – thought to be an amalgamation of three similarly loose hacking groups: ShinyHunters, Lapsus$, and Scattered Spider – makes attribution difficult.
“Looking ahead, ReliaQuest expects Scattered Lapsus$ Hunters – or imitators – to keep abusing Zendesk and similar customer support platforms,” ReliaQuest said.
“These platforms often fly under the radar compared to more heavily monitored channels like inbound email traffic, making them an attractive target.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
