A notorious cybercrime group known as Scattered LAPSUS$ Hunters (SLH) has been observed offering financial incentives to recruit women to carry out social engineering attacks.
Dataminr said in a new threat brief that it is considering hiring them for voice phishing campaigns targeting IT help desks. The group is said to offer upfront payments of between $500 and $1,000 per call, in addition to providing the pre-written scripts needed to carry out the attack.
“SLH is diversifying its social engineering workforce by specifically recruiting women to carry out its malicious attacks, likely increasing its success rate in impersonating help desks,” the threat intelligence firm said.
SLH, a high-profile cybercriminal supergroup comprised of LAPSUS$, Scattered Spider, and ShinyHunters, has a history of engaging in sophisticated social engineering attacks that bypass multi-factor authentication (MFA) through techniques such as MFA prompt bombing and SIM swapping.
The group’s tactics include targeting help desks and call centers to infiltrate businesses by posing as employees and convincing them to reset passwords or install remote monitoring and management (RMM) tools that allow remote access. Once gaining initial access, Scattered Spiders have been observed to move laterally into virtualized environments, escalating privileges, and leaking sensitive corporate data.
Some of these attacks also lead to the deployment of ransomware. Another characteristic of these attacks is the use of legitimate services and residential proxy networks (such as Luminati and OxyLabs) to evade detection. Scattered Spider attackers have used a variety of tunneling tools such as Ngrok, Teleport, and Pinggy, as well as free file sharing services such as file.io, gofile.io, mega.nz, and transfer.sh.
Palo Alto Networks Unit 42, which tracks the Scattered Spider under the nickname Muddled Libra, said in a report released earlier this month that the attacker is “very adept at exploiting human psychology” by impersonating employees and attempting to reset passwords and multi-factor authentication (MFA).
In at least one incident investigated by a cybersecurity firm in September 2025, the Scattered Spider allegedly called an IT help desk to obtain privileged credentials, then created and utilized a virtual machine (VM) that it used to perform reconnaissance (such as enumerating Active Directory) and attempt to steal Outlook mailbox files and data downloaded from the target’s Snowflake database.
“This threat actor leverages legitimate tools and existing infrastructure to blend in, while focusing on identity compromise and social engineering,” Unit 42 said. “They operate quietly and maintain persistence.”
The cybersecurity firm also noted that Scattered Spider has an “extensive history” of targeting Microsoft Azure environments using the Graph API to facilitate access to Azure cloud resources. The group also uses cloud enumeration tools such as ADRecon for Active Directory reconnaissance.
With social engineering emerging as a key entry point for cybercrime groups, organizations are encouraged to remain vigilant and train their IT help desk and support personnel to be wary of pre-written scripts and sophisticated voice spoofing, implement strict identity verification, move away from SMS-based authentication to strengthen MFA policies, and monitor audit logs for new user creation and elevation of administrative privileges associated with help desk interactions.
“This recruitment drive represents a calculated evolution in SLH’s tactics,” Dataminr said. “By specifically soliciting female voices, the group is likely aiming to circumvent the ‘traditional’ profiles of attackers that IT help desk staff may be trained to identify, thereby increasing the effectiveness of their impersonation efforts.”
Source link
