Urgent Alert: Hackers Launch Campaign Targeting Zendesk Users

UPDATE: Hackers affiliated with the Scattered Lapsus$ Hunters are launching a **threat campaign** targeting Zendesk environments, alarming cybersecurity experts. New research from Reliaquest reveals that approximately **40 typoquatting and impersonating domains** have been registered over the past six months to mimic Zendesk’s services.

This urgent situation comes as users of Zendesk, a leading cloud-based customer service platform, are at heightened risk of credential theft. The fraudulent domains host phishing pages designed to capture login information through fake single sign-on portals. According to Reliaquest, the campaign is already underway, with a focus on extracting credentials from users, particularly **system administrators** and **helpdesk personnel**, who hold significant access privileges.

“**The primary objective at this stage appears to be harvesting credentials** from users within organizations that rely on Zendesk,” a spokesperson for Reliaquest stated. The researchers uncovered critical details about the domains, including Cloudflare-masked nameservers and registrant information based in the US and UK, pointing to a sophisticated operation.

The threat escalates as evidence suggests that hackers are submitting fraudulent tickets to legitimate Zendesk portals. These tickets are strategically aimed at helpdesk and support staff, with the intent to infect systems with remote access trojans and other malware.

Officials from Zendesk have confirmed they are actively monitoring potential phishing sites and fraudulent domains. “Our security team continuously monitors and quickly responds to emerging threats,” a Zendesk representative assured, emphasizing their commitment to protecting customer security.

The alarming tactics mirror similar details from an August 2025 campaign linked to Scattered Lapsus$ Hunters that targeted Salesforce environments. Just last month, Zendesk and HubSpot halted connections with Gainsight after its customers were implicated in a related threat campaign.

This Zendesk breach comes on the heels of another significant incident involving Discord, where hackers targeted a third-party vendor that handles customer service. That breach exposed personal information of approximately **70,000 users**, including sensitive government ID photos. Discord reported that the attackers intended to extract ransom from the affected individuals.

As this situation develops, organizations using Zendesk are urged to implement immediate security measures. Users should be vigilant for suspicious activity and consider changing passwords to enhance their protection against potential phishing attempts.

Stay tuned for further updates as authorities continue to investigate this unfolding threat.