A sophisticated cyber threat group known as Scattered Lapsus$ has launched a widespread campaign targeting Zendesk, a widely used customer support platform. The group has registered over 40 deceptive domains designed to mimic legitimate Zendesk environments, employing typosquatting and Cloudflare-masked nameservers to bypass security measures and capture user credentials. This latest offensive marks a significant shift in the group’s tactics, demonstrating an increased focus on exploiting supply-chain vulnerabilities.
According to security analysts at Reliaquest, the campaign leverages these fraudulent Single Sign-On (SSO) portals to harvest high-privilege credentials. The infrastructure used in this operation shares similarities with previous attacks on Salesforce in August 2025, suggesting a coordinated and evolving strategy. Once access is gained, attackers can move laterally within a compromised corporate network, potentially leading to the theft of sensitive customer data, including billing information and government IDs, reminiscent of the Discord breach in September 2025.
Weaponizing Zendesk Support Tickets for Cyber Espionage
A particularly concerning aspect of the Scattered Lapsus$ campaign is its innovative approach to bypassing traditional perimeter defenses by directly weaponizing legitimate support tickets within Zendesk. Instead of relying solely on external phishing emails, the threat actors submit fraudulent tickets into an organization’s support portal. These fabricated requests are designed to appear urgent, often masquerading as system administration issues or password reset demands, thereby compelling support agents to act quickly without adequate verification.
Embedded within these malicious support tickets are links to the typosquatted domains or direct links to malware payloads. When a help-desk employee interacts with these compromised tickets, they may inadvertently download Remote Access Trojans (RATs). This grants the attackers persistent remote control over the compromised systems, enabling them to execute commands and monitor user activity undetected. The group has reportedly boasted about these operations, warning incident response teams to monitor their logs closely for impending data exfiltration efforts, particularly targeting customer databases ahead of the 2026 holiday season.
The use of Zendesk, a platform relied upon by numerous global enterprises for customer interaction and support, makes this attack vector particularly potent. By compromising this critical communication channel, Scattered Lapsus$ gains a trusted pathway into the internal networks of its targets. This advanced technique highlights the evolving sophistication of cybercriminal tactics, moving beyond simple phishing to exploit the very tools businesses use to operate and support their customers.
The group’s ability to maintain operational secrecy through techniques like using Cloudflare-masked nameservers is crucial to the longevity and success of their campaigns. This allows them to continue their malicious activities long enough to achieve their objectives before detection and mitigation efforts can be fully implemented. The observed patterns in domain registration and attack methodologies suggest a highly organized entity consistently refining its approach to maximize impact and minimize risk of exposure.
Moving forward, organizations utilizing Zendesk, and similar customer support platforms, must prioritize enhanced security measures. This includes robust training for support staff on identifying and handling suspicious tickets, implementing multi-factor authentication for all accounts accessing the platform, and strengthening endpoint security to detect and neutralize RATs. The threat actors’ stated intentions to target customer databases in anticipation of the 2026 holiday season underscores the urgency for businesses to proactively review and bolster their defenses against these evolving supply-chain attacks.