Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Scattered Lapsus$ Hunters Zendesk targeting campaign

Campaign
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

The Scattered Lapsus$ Hunters campaign is targeting Zendesk users with typosquatted domains and malicious helpdesk tickets, raising the risk of credential theft and endpoint compromise. More than 40 domains were created over the past six months, many hosting deceptive Zendesk SSO pages. The activity also includes fraudulent ticket submissions aimed at support and help-desk staff. Those lures are designed to steal credentials or push malware onto employee systems.

Related Happenings

Compromised legitimate WordPress websites used to infect visitors with infostealer malware campaign expands across multiple victims

Campaign
First: 11.03.2026 16:45 Last: 11.03.2026 16:45 Sources 1

About this happening: A **global ClickFix campaign** is abusing compromised **WordPress** sites to push **infostealer malware** to visitors, putting credentials and financial data at risk. The operatio...

Open Happening

Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations

Threat Actor Meta
First: 05.03.2026 08:51 Last: 05.03.2026 08:51 Sources 1

About this happening: **Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....

Latest development: 17.05.2026 17:43

eSentire says Tycoon2FA now uses device-code phishing to target Microsoft 365 accounts, with invoice-themed lure emails carrying Trustifi click-tracking URLs that redirect through Trustifi, Cloudflare Workers, obfuscated JavaScript layers, and a fake Microsoft CAPTCHA page before sending victims to microsoft.com/devicelogin. The kit also adds anti-analysis defenses, including detection of Selenium, Puppeteer, Playwright, and Burp Suite, plus blocks for security vendors, VPNs, sandboxes, AI crawlers, and cloud providers.

Open Happening

Zendesk relay spam wave abusing fake support tickets

Campaign
First: 22.01.2026 01:46 Last: 22.01.2026 01:46 Sources 1

About this happening: A **global spam wave** is abusing **Zendesk support systems** to flood recipients with automated confirmation emails, bypassing spam filters and creating widespread confusion. The...

Open Happening

Okitipi Samuel-RaccoonO365-Moses Felix alliance reshapes ransomware ecosystem operations

Threat Actor Meta
First: 19.12.2025 21:05 Last: 19.12.2025 21:05 Sources 1

About this happening: The **Raccoon0365** phishing platform functioned as a **phishing-kit service** sold to other criminals, expanding **Microsoft 365 credential theft** and account-compromise capacit...

Open Happening

Parked and typosquatting domains now redirect most visitors to scams and malware

Target Trend
First: 16.12.2025 16:14 Last: 16.12.2025 16:14 Sources 1

About this happening: Large-scale experiments found **parked domains** and **typosquatting domains** now commonly send visitors to **scams**, **scareware**, or **malware**, turning routine mistyped nav...

Open Happening

Timeline

  1. 27.11.2025 11:30 2 articles · 6mo ago

    Scattered Lapsus$ Hunters targets Zendesk users

    Initial Disclosure

    ReliaQuest says Scattered Lapsus$ Hunters is targeting Zendesk users with more than 40 typosquatted Zendesk domains created over the past six months, including znedesk[.]com and vpn-zendesk[.]com, deceptive Zendesk single sign-on (SSO) pages intended for credential theft, and fraudulent helpdesk tickets designed to trick support staff into exposing credentials or running RATs; the firm also says Discord may already have been affected through a Zendesk-based support system that exposed user data.

    Show sources
    Open in new tab