SLH Offers $500–$1,000 Per Call to Recruit Women for IT Help Desk Vishing Attacks
Summary:
A recent intelligence brief from Dataminr has identified a tactical evolution in the operations of the cybercrime "supergroup" known as Scattered Lapsus$ Hunters (SLH). On February 22, 2026, researchers detected recruitment activity on public Telegram boards where the group, an alliance between Lapsus$, Scattered Spider, and ShinyHunters, was actively seeking female individuals to conduct voice phishing (vishing) attacks. To incentivize participation, SLH is offering upfront payments ranging from $500 to $1,000 per call and providing pre-written social engineering scripts. This campaign specifically targets IT help desks, with the goal of tricking support staff into resetting passwords, bypassing multi-factor authentication (MFA), or installing remote monitoring tools. By diversifying their "caller pool" to include female voices, the group likely aims to circumvent traditional behavioral profiles and biases that help desk personnel may have been trained to associate with cyber threat actors.
Security Officer Comments:
This development is a significant indicator of the "human-centric" shift in modern adversary tactics. SLH has historically been one of the most effective groups at breaching large-scale enterprises by exploiting the most vulnerable link: the help desk. Their transition to recruiting women is a calculated move to increase the success rate of impersonation. In many corporate cultures, there is an unconscious bias where female voices may be perceived as less threatening or more "authentic" during a high-pressure support call. For our member organizations, this means that traditional training, which often focuses on technical indicators, is no longer sufficient. This group is not just "hacking" systems; they are "hacking" the social dynamics of your IT support structure. Given SLH's history of targeting major service providers and infrastructure, a successful vishing call could lead to full tenant compromise, SIM swapping of executive accounts, or the deployment of ransomware across your environment.
Suggested Corrections:
Link(s):
https://thehackernews.com/2026/02/slh-offers-5001000-per-call-to-recruit.html
A recent intelligence brief from Dataminr has identified a tactical evolution in the operations of the cybercrime "supergroup" known as Scattered Lapsus$ Hunters (SLH). On February 22, 2026, researchers detected recruitment activity on public Telegram boards where the group, an alliance between Lapsus$, Scattered Spider, and ShinyHunters, was actively seeking female individuals to conduct voice phishing (vishing) attacks. To incentivize participation, SLH is offering upfront payments ranging from $500 to $1,000 per call and providing pre-written social engineering scripts. This campaign specifically targets IT help desks, with the goal of tricking support staff into resetting passwords, bypassing multi-factor authentication (MFA), or installing remote monitoring tools. By diversifying their "caller pool" to include female voices, the group likely aims to circumvent traditional behavioral profiles and biases that help desk personnel may have been trained to associate with cyber threat actors.
Security Officer Comments:
This development is a significant indicator of the "human-centric" shift in modern adversary tactics. SLH has historically been one of the most effective groups at breaching large-scale enterprises by exploiting the most vulnerable link: the help desk. Their transition to recruiting women is a calculated move to increase the success rate of impersonation. In many corporate cultures, there is an unconscious bias where female voices may be perceived as less threatening or more "authentic" during a high-pressure support call. For our member organizations, this means that traditional training, which often focuses on technical indicators, is no longer sufficient. This group is not just "hacking" systems; they are "hacking" the social dynamics of your IT support structure. Given SLH's history of targeting major service providers and infrastructure, a successful vishing call could lead to full tenant compromise, SIM swapping of executive accounts, or the deployment of ransomware across your environment.
Suggested Corrections:
- Implement Out-of-Band (OOB) Verification: Require help desk staff to verify the caller's identity through a secondary, trusted channel—such as a push notification to a registered device or a manual check via internal messaging platforms (Slack/Teams)—before performing sensitive actions.
- Mandatory Video Verification: For high-risk requests like MFA resets or password changes for privileged accounts, implement a policy requiring a brief video call to visually confirm the employee's identity.
- Transition to FIDO2/Hardware Keys: Move away from SMS and "push-to-approve" MFA, which are highly susceptible to vishing and fatigue attacks. Hardware security keys (e.g., YubiKeys) provide the strongest defense against these credential-harvesting tactics.
- Update Social Engineering Training: Revise security awareness modules to include diverse caller profiles. Emphasize that help desk staff must follow technical verification protocols regardless of the caller’s gender, tone, or perceived level of urgency.
- Restrict Remote Support Tools: Audit and limit the use of remote monitoring and management (RMM) tools. Ensure that only pre-approved, enterprise-grade tools can be initiated, and alert security teams whenever an RMM tool is downloaded or executed by a non-admin user.
- Establish a "Safe Word" or Token System: For organizations with high-security needs, implement a rotating daily token or "safe word" that employees must provide to the help desk to prove they are who they say they are during a phone-based request.
Link(s):
https://thehackernews.com/2026/02/slh-offers-5001000-per-call-to-recruit.html