Hackers affiliated with the Scattered Lapsus$ Hunters might be preparing a threat campaign against Zendesk environments, according to Reliaquest researchers.

About 40 typoquatting and impersonating domains have been created over the past six months that mimic Zendesk environments, according to a blog published Wednesday by Reliaquest. Zendesk is a company that provides cloud-based customer service and sales software.

Some of the domains host phishing pages that contain fake single sign-on portals, which can be used to trick users and steal credentials, according to the blog. 

Reliaquest researchers believe the camapaign is already beginning to target Zendesk environments. 

“The primary objective at this stage appears to be harvesting credentials from users within organizations that rely on Zendesk, such as system administrators or helpdesk personnel—likely due to their elevated permissions,” a Reliaquest spokesperson told Cybersecurity Dive via email.

The domains contained several important registry details, including Cloudflare-masked nameservers, U.S.- and U.K.-based registrant contact information and registration through NiceNik, according to Reliaquest. 

Researchers warn they have evidence the hackers are submitting fraudulent tickets to legitimate Zendesk portals that are operated by organizations that use the portal for customer service. The fraudulent tickets are designed to target help-desk and support personnel, infecting them with remote access Trojans and other types of malware, according to Reliaquest.

A spokesperson for Reliaquest said the researchers shared their findings with Zendesk.  

“Our security team continuously monitors potential phishing sites, fraudulent domains or misuse of our trademarks for malicious activities,” a spokesperson for Zendesk told Cybersecurity Dive, via email. “We quickly respond to emerging threats, alert affected parties and implement protective measures when it is appropriate to ensure the security of our customers.”

Those elements are similar to details discovered in connection with an August campaign linked to Scattered Lapsus$ Hunters targeting Salesforce environments, according to Reliaquest. 

Zendesk and Hubspot late last month paused their connections with Gainsight after that company’s customers were targeted in a threat campaign linked to Salesforce. Researchers at Google Threat Intelligence Group last month said more than 200 cases were being investigated where Salesforce customer data may have been compromised through their Gainsight connection. 

Reliaquest said the Zendesk campaign comes two months after an attack linked to Discord. In that incident, hackers targeted a third-party vendor that Discord uses for customer service. 

About 70,000 users may have had their government-ID photos exposed in that incident, according to a blog post from Discord. Certain data was stolen regarding customers that had contacted Discord either through its customer service or safety teams. 

According to Discord, the hackers intended to get a ransom from them.

Editor’s note: Adds additional comment from Reliaquest.