SLH Offers $500–$1,000 Per Call to Recruit Women for IT Help Desk Vishing Attacks

The notorious cybercrime collective known as Scattered LAPSUS$ Hunters (SLH) has been observed offering financial incentives to recruit women to pull off social engineering attacks.

The idea is to hire them for voice phishing campaigns targeting IT help desks, Dataminr said in a new threat brief. The group is said to be offering anywhere between $500 and $1,000 upfront per call, in addition to providing them with the necessary pre-written scripts to carry out the attack.

“SLH is diversifying its social engineering pool by specifically recruiting women to conduct vishing attacks, likely to increase the success rate of help desk impersonation,” the threat intelligence firm said.

A high-profile cybercrime supergroup comprising LAPSUS$, Scattered Spider, and ShinyHunters, SLH has a record of engaging in advanced social engineering attacks to sidestep multi-factor authentication (MFA) through techniques like MFA prompt bombing and SIM swapping. 

The group’s modus operandi also involves targeting help desks and call centers to breach companies by posing as employees and convincing them to reset a password or install a remote monitoring and management (RMM) tool that grants them remote access. Once initial access is obtained, Scattered Spider has been observed moving laterally to virtualized environments, escalating privileges, and exfiltrating sensitive corporate data.

Some of these attacks have further led to the deployment of ransomware. Another hallmark of these attacks is the use of legitimate services and residential proxy networks (e.g., Luminati and OxyLabs) to blend in and evade detection. Scattered Spider actors have used various tunneling tools like Ngrok, Teleport, and Pinggy, as well as free file-sharing services such as file.io, gofile.io, mega.nz, and transfer.sh.

In a report published earlier this month, Palo Alto Networks Unit 42, which is tracking Scattered Spider under the moniker Muddled Libra, described the threat actor as “highly proficient at exploiting human psychology” by impersonating employees to attempt password and multi-factor authentication (MFA) resets.

In at least one case investigated by the cybersecurity company in September 2025, Scattered Spider is said to have created and utilized a virtual machine (VM) after obtaining privileged credentials by calling the IT help desk and then used it to conduct reconnaissance (e.g., Active Directory enumeration) and attempt to exfiltrate Outlook mailbox files and data downloaded from the target’s Snowflake database.

“While focusing on identity compromise and social engineering, this threat actor leverages legitimate tools and existing infrastructure to blend in,” Unit 42 said. “They operate quietly and maintain persistence.”

The cybersecurity company also noted that Scattered Spider has an “extensive history” of targeting Microsoft Azure environments using the Graph API to facilitate access to Azure cloud resources. Also put to use by the group are cloud enumeration tools such as ADRecon for Active Directory reconnaissance.

With social engineering emerging as the primary entry point for the cybercrime group, organizations are advised to be on alert and train IT help desk and support personnel to watch out for pre-written scripts and polished voice impersonation, enforce strict identity verification, harden MFA policies by shifting away from SMS-based authentication, and audit logs for new user creation or administrative privilege escalation following help desk interactions.

“This recruitment drive represents a calculated evolution in SLH’s tactics,” Dataminr said. “By specifically seeking female voices, the group likely aims to bypass the ‘traditional’ profiles of attackers that IT help desk staff may be trained to identify, thereby increasing the effectiveness of their impersonation efforts.”

Update

In a follow-up analysis published on February 26, 2026, ReliaQuest said it observed the ShinyHunters extortion group likely shifting to branded subdomain impersonation combined with live, phone-guided, adversary-in-the-middle (AiTM) phishing, and mobile-first lures after the operator calls the end user using a help desk or support pretext. This includes registering domains that follow the format: “.sso-verify[.]com.”

The group is also said to be possibly reusing already exposed software-as-a-service (SaaS) records to build convincing pretexts and identify the “next best” person to conduct socially engineering attacks and create a repeatable access loop. This leads to a rapid identity-to-SaaS compromise, allowing a single valid SSO session or help-desk reset to enable broad access to sensitive data without dropping custom malware.

“It’s highly likely that this is a deliberate move away from using newly registered lookalike domains to an approach that can slip past traditional ‘new domain’ controls,” ReliaQuest said. “Two parallel developments further shorten the group’s time-to-impact: lures designed with mobile users in mind (reducing visibility in enterprise network monitoring and web filtering) and paid criminal outsourcing (to scale the group’s email-, SMS-, and phone-based outreach).”

While the impersonation patterns resemble tactics previously associated with Scattered Spider, the activity has been linked to ShinyHunters based on the hands-on-keyboard use of the subdomains during organization-facing vishing, end-to-end intrusion sequences consistent, and lure themes.

“ShinyHunters is scaling vishing-driven intrusions by outsourcing scripted, call-center–style tasks, and even harassment services to paid contractors,” it added. “The goal is likely to accelerate high-volume, low-cost pressure campaigns and coerce users into fast compliance by optimizing caller personas (including recruiting female callers). ShinyHunters calls this model the ‘SLH Operations Centre,’ a vishing operation built for volume and speed.”

When asked if the domain impersonation activity could be the work of the broader e-crime group, ReliaQuest told The Hacker News that, “Within our visibility, we do not have independently verifiable evidence that this subdomain impersonation activity should be attributed to a broader collective rather than ShinyHunters, though overlap remains possible.”

“We assessed ShinyHunters with high confidence primarily based on victimology, as the targeting corresponds with organizations ShinyHunters has named on its leak site,” the company added.

ReliaQuest said it has also seen Telegram messages stating that the groups only “unite” for certain social engineering operations, suggesting that while collaboration can indeed occur in some cases, there is no concrete evidence or insight into how the collective defines those collaborative efforts and whether this activity comes under that category.

(The story was updated after publication to include additional insights from ReliaQuest.)