{ "type": "Domain", "indicator": "znedesk.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/znedesk.com", "alexa": "http://www.alexa.com/siteinfo/znedesk.com", "indicator": "znedesk.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4154937901, "indicator": "znedesk.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "69285c7359cfa7557887ab88", "name": "Scattered Lapsus$ Hunters Take Aim At Zendesk Users", "description": "A new campaign potentially linked to the Scattered Lapsus$ Hunters group is targeting Zendesk users. Over 40 typosquatted Zendesk domains have been discovered, featuring organizations' names or brands. These domains host phishing pages designed to harvest credentials. The campaign also involves submitting fraudulent tickets to Zendesk portals, aiming to infect support staff with remote access trojans. This follows similar attacks on other SaaS platforms like Salesforce. Discord may already be a victim, having suffered a breach via its Zendesk-based support system. Organizations are advised to implement strong authentication measures, conduct domain monitoring, and secure Zendesk chat to mitigate risks.", "modified": "2025-11-27T18:22:48.758000", "created": "2025-11-27T14:13:07.438000", "tags": [ "customer service", "saas platforms", "zendesk", "credential harvesting", "typosquatting", "phishing", "remote access trojans" ], "references": [ "https://www.infosecurity-magazine.com/news/scattered-lapsus-hunters-zendesk" ], "public": 1, "adversary": "Scattered Lapsus$ Hunters", "targeted_countries": [], "malware_families": [ { "id": "Remote Access Trojans", "display_name": "Remote Access Trojans", "target": null } ], "attack_ids": [ { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 2 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 386693, "modified_text": "185 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "693ac21225c36da419dbd4f1", "name": "EbeeDec2025 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-10T13:01:53.320000", "created": "2025-12-11T13:07:30.549000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "filename", "cve20251338 cve", "bitcoinaddress" ], "references": [ "Book1.csv" ], "public": 1, "adversary": "ShanyaUDPGangster, CastleRAT, StreamSpy, FvncBot, Multi-Stage Attack Chain using malicious VSCode Ex", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "hostname": 42, "CIDR": 1, "CVE": 2, "FileHash-MD5": 193, "FileHash-SHA1": 230, "FileHash-SHA256": 224, "domain": 99, "email": 1 }, "indicator_count": 887, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "142 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "693290eafb2e7b85bae29a02", "name": "The Next Target of Scattered LAPSUS$ Hunters Zendesk", "description": "Recent investigations by ReliaQuest have identified a series of suspicious domains related to Zendesk, including over 40 typosquatted variations and impersonating URLs such as http://znedesk.com and http://vpn-zendesk.com. This domain registration pattern is associated with a ransomware group known as Scattered LAPSUS$ Hunters (SLSH), who have previously targeted various sectors, including SaaS platforms like Salesforce, along with retail, insurance, and aviation industries.\n\nThe attacks executed by SLSH utilize a combination of social engineering techniques and phishing campaigns, which often involve the use of typosquatted domains. To enhance their effectiveness, these threat actors employ tools like Evilginx to circumvent multifactor authentication (MFA), thereby gaining unauthorized access to sensitive accounts and systems.", "modified": "2025-12-05T08:00:17.875000", "created": "2025-12-05T07:59:38.484000", "tags": [ "slsh", "zendesk", "saas", "hacker com", "salesloft drift", "gainsight", "it support", "monitor", "hunters", "force attack", "evilginx", "rover", "pandora", "restrict", "nordic" ], "references": [ "https://www.truesec.com/hub/blog/the-next-target-of-scattered-lapsus-hunters-zendesk" ], "public": 1, "adversary": "Nordic", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" } ], "industries": [ "Retail", "Aviation", "Social Engineering" ], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "178 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69287bea01d964abe55715fd", "name": "Lapsus$ Hunters Impersonate Zendesk Environments", "description": "", "modified": "2025-11-27T16:27:22.149000", "created": "2025-11-27T16:27:22.149000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "185 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Book1.csv", "https://www.infosecurity-magazine.com/news/scattered-lapsus-hunters-zendesk", "https://www.truesec.com/hub/blog/the-next-target-of-scattered-lapsus-hunters-zendesk" ], "related": { "alienvault": { "adversary": [ "Scattered Lapsus$ Hunters" ], "malware_families": [ "Remote access trojans" ], "industries": [ "Technology" ] }, "other": { "adversary": [ "ShanyaUDPGangster, CastleRAT, StreamSpy, FvncBot, Multi-Stage Attack Chain using malicious VSCode Ex", "Nordic" ], "malware_families": [], "industries": [ "Social engineering", "Aviation", "Retail" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "69285c7359cfa7557887ab88", "name": "Scattered Lapsus$ Hunters Take Aim At Zendesk Users", "description": "A new campaign potentially linked to the Scattered Lapsus$ Hunters group is targeting Zendesk users. Over 40 typosquatted Zendesk domains have been discovered, featuring organizations' names or brands. These domains host phishing pages designed to harvest credentials. The campaign also involves submitting fraudulent tickets to Zendesk portals, aiming to infect support staff with remote access trojans. This follows similar attacks on other SaaS platforms like Salesforce. Discord may already be a victim, having suffered a breach via its Zendesk-based support system. Organizations are advised to implement strong authentication measures, conduct domain monitoring, and secure Zendesk chat to mitigate risks.", "modified": "2025-11-27T18:22:48.758000", "created": "2025-11-27T14:13:07.438000", "tags": [ "customer service", "saas platforms", "zendesk", "credential harvesting", "typosquatting", "phishing", "remote access trojans" ], "references": [ "https://www.infosecurity-magazine.com/news/scattered-lapsus-hunters-zendesk" ], "public": 1, "adversary": "Scattered Lapsus$ Hunters", "targeted_countries": [], "malware_families": [ { "id": "Remote Access Trojans", "display_name": "Remote Access Trojans", "target": null } ], "attack_ids": [ { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 2 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 386693, "modified_text": "185 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "693ac21225c36da419dbd4f1", "name": "EbeeDec2025 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-10T13:01:53.320000", "created": "2025-12-11T13:07:30.549000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "filename", "cve20251338 cve", "bitcoinaddress" ], "references": [ "Book1.csv" ], "public": 1, "adversary": "ShanyaUDPGangster, CastleRAT, StreamSpy, FvncBot, Multi-Stage Attack Chain using malicious VSCode Ex", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "hostname": 42, "CIDR": 1, "CVE": 2, "FileHash-MD5": 193, "FileHash-SHA1": 230, "FileHash-SHA256": 224, "domain": 99, "email": 1 }, "indicator_count": 887, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "142 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "693290eafb2e7b85bae29a02", "name": "The Next Target of Scattered LAPSUS$ Hunters Zendesk", "description": "Recent investigations by ReliaQuest have identified a series of suspicious domains related to Zendesk, including over 40 typosquatted variations and impersonating URLs such as http://znedesk.com and http://vpn-zendesk.com. This domain registration pattern is associated with a ransomware group known as Scattered LAPSUS$ Hunters (SLSH), who have previously targeted various sectors, including SaaS platforms like Salesforce, along with retail, insurance, and aviation industries.\n\nThe attacks executed by SLSH utilize a combination of social engineering techniques and phishing campaigns, which often involve the use of typosquatted domains. To enhance their effectiveness, these threat actors employ tools like Evilginx to circumvent multifactor authentication (MFA), thereby gaining unauthorized access to sensitive accounts and systems.", "modified": "2025-12-05T08:00:17.875000", "created": "2025-12-05T07:59:38.484000", "tags": [ "slsh", "zendesk", "saas", "hacker com", "salesloft drift", "gainsight", "it support", "monitor", "hunters", "force attack", "evilginx", "rover", "pandora", "restrict", "nordic" ], "references": [ "https://www.truesec.com/hub/blog/the-next-target-of-scattered-lapsus-hunters-zendesk" ], "public": 1, "adversary": "Nordic", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" } ], "industries": [ "Retail", "Aviation", "Social Engineering" ], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "178 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69287bea01d964abe55715fd", "name": "Lapsus$ Hunters Impersonate Zendesk Environments", "description": "", "modified": "2025-11-27T16:27:22.149000", "created": "2025-11-27T16:27:22.149000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "185 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "znedesk.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "znedesk.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780326703.5679426 }