A cybercrime network known as Scattered LAPSUS$ Hunters, or SLH, is offering financial rewards ranging from $500 to $1,000 per call to recruit women for voice phishing operations targeting corporate IT help desks.
The development was detailed in a threat intelligence brief published by Dataminr. According to the firm, recruits are provided with prepared scripts and paid upfront for participating in impersonation calls designed to trick help desk staff into granting account access. Analysts assess that specifically seeking female callers may be an intentional tactic to improve credibility and increase the likelihood of successful password or multi-factor authentication resets.
SLH is described as a high-profile cybercrime alliance associated with actors tied to LAPSUS$, Scattered Spider, and ShinyHunters. The group has previously demonstrated the ability to bypass multi-factor authentication using methods such as MFA prompt flooding and SIM swapping.
A core component of its intrusion strategy involves directly contacting help desks or call centers while posing as legitimate employees. Attackers attempt to persuade support staff to reset credentials or deploy remote monitoring and management software that enables persistent remote access. Once inside a network, Scattered Spider operators have been observed moving laterally into virtualized infrastructure, elevating privileges, and extracting sensitive enterprise information. In some incidents, the intrusion progressed to ransomware deployment.
To blend into legitimate traffic and evade detection, the actors routinely leverage trusted infrastructure and residential proxy services, including Luminati and OxyLabs. They have also used tunneling tools such as Ngrok, Teleport, and Pinggy, along with file-sharing platforms like file.io, gofile.io, mega.nz, and transfer.sh to transfer stolen data.
Earlier this month, Palo Alto Networks Unit 42, which tracks Scattered Spider under the alias Muddled Libra, described the actor as highly adept at manipulating human psychology. In one September 2025 investigation, attackers reportedly obtained privileged credentials through a help desk call, created a virtual machine, conducted Active Directory enumeration, and attempted to extract Microsoft Outlook mailbox data along with information downloaded from a Snowflake database.
Unit 42 also documented the group’s extensive targeting of Microsoft Azure environments through the Graph API to gain access to cloud resources. Tools such as ADRecon have been deployed to map directory structures and identify valuable assets.
Dataminr characterized the recruitment campaign as a calculated evolution in tactics, suggesting that the use of female voices may help bypass preconceived attacker profiles that help desk staff are trained to recognize.
Update: Shift Toward Branded Subdomain Impersonation and Mobile-Focused Phishing
In a follow-up assessment dated February 26, 2026, ReliaQuest reported observing ShinyHunters potentially transitioning to branded subdomain impersonation paired with live adversary-in-the-middle phishing and phone-guided social engineering. Observed domains followed formats resembling “organization.sso-verify.com.”
Researchers indicated that the group may be reusing previously exposed software-as-a-service records to craft convincing scenarios and identify the most effective internal targets. This method can enable rapid identity compromise and SaaS access through a single valid single sign-on session or help desk reset, without deploying custom malware.
ReliaQuest assessed that moving away from newly registered lookalike domains could help evade traditional domain-age detection controls. Simultaneo
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: