The cybercrime collective known as Scattered LAPSUS$ Hunters (SLH) has been identified recruiting women to carry out highly targeted voice phishing (vishing) attacks against corporate IT help desks, according to a new threat intelligence report from Dataminr.
The group is reportedly offering $500 to $1,000 per call upfront, along with pre-written social engineering scripts, to increase the success rate of impersonation-based attacks aimed at breaching enterprise networks.
Female Voices Used to Boost Vishing Success Rates
Dataminr states that SLH is deliberately diversifying its social engineering workforce by recruiting women, a move likely intended to exploit trust biases and evade detection by help desk personnel.
“SLH is expanding its social engineering pool by specifically recruiting women to conduct vishing attacks, likely to increase the effectiveness of IT help desk impersonation,” Dataminr noted.
This recruitment effort signals a tactical shift designed to bypass traditional attacker profiles that support teams are trained to recognize.
A Cybercrime Supergroup with Advanced Social Engineering Skills
SLH is a high-profile cybercrime alliance linked to LAPSUS$, Scattered Spider, and ShinyHunters. The group is well known for using advanced social engineering techniques to defeat security controls, including:
- MFA prompt bombing
- SIM swapping
- Help desk impersonation
- Credential harvesting
Their primary attack path involves posing as employees, persuading help desk staff to reset passwords or install remote monitoring and management (RMM) tools, granting attackers persistent remote access.
From Initial Access to Data Exfiltration and Ransomware
Once inside a target environment, Scattered Spider operators have been observed:
- Moving laterally across virtualized environments
- Escalating privileges
- Exfiltrating sensitive enterprise data
In several cases, these intrusions have escalated into ransomware deployments.
To avoid detection, the group frequently relies on legitimate tools and infrastructure, including residential proxy services such as Luminati and OxyLabs, as well as tunneling utilities like Ngrok, Teleport, and Pinggy. They also leverage popular file-sharing platforms such as mega.nz, file.io, gofile.io, and transfer.sh to move stolen data.
Unit 42: “Highly Proficient at Exploiting Human Psychology”
Earlier this month, Palo Alto Networks’ Unit 42 (which tracks Scattered Spider as Muddled Libra) described the group as exceptionally skilled at manipulating human behavior to facilitate password and MFA resets.
In one incident investigated in September 2025, attackers reportedly:
- Gained privileged credentials via an IT help desk call
- Created a virtual machine (VM)
- Conducted Active Directory reconnaissance
- Attempted to exfiltrate Outlook mailbox data and information from a Snowflake database
“While focusing on identity compromise and social engineering, this threat actor leverages legitimate tools and existing infrastructure to blend in,” Unit 42 said. “They operate quietly and maintain persistence.”
Cloud Environments a Key Target
Scattered Spider also has a documented history of targeting Microsoft Azure environments, using the Microsoft Graph API to enumerate and access cloud resources. Tools like ADRecon are commonly employed for directory and identity reconnaissance.
Defensive Recommendations for Organizations
With social engineering now the primary initial access vector, security teams are urged to:
- Train IT help desk staff to recognize scripted and polished vishing attempts
- Enforce strict identity verification procedures
- Move away from SMS-based MFA in favor of phishing-resistant MFA
- Audit logs for unusual account creation or privilege escalation after help desk interactions
Dataminr concluded that this recruitment campaign reflects a calculated evolution in SLH’s tactics.
“By specifically seeking female voices, SLH likely aims to bypass preconceived attacker profiles, increasing the success rate of their impersonation-based attacks.”