The cybercrime collective calling itself Scattered LAPSUS$ Hunters (SLH) is now paying significant cash — between $500 and $1,000 per call upfront — to recruit women to conduct voice phishing (vishing) attacks against corporate IT support teams. This recruitment tactic was spotted in posts on Telegram channels and highlighted in a threat intelligence brief from Dataminr.

What SLH is Doing

• SLH is specifically looking for female callers and supplying them with pre-written scripts to impersonate employees and trick help desk staff.
• The goal of these vishing calls is to manipulate IT support into performing actions such as resetting passwords or bypassing authentication controls, giving the attackers a foothold inside targeted networks.
• By recruiting women, SLH is likely trying to make the calls sound more credible and evade help desk training that might expect male attackers.

Who SLH Is

SLH isn’t a single gang but a super-collective of major cybercrime groups, including:

• LAPSUS$
• Scattered Spider
• ShinyHunters

These groups have a history of sophisticated social engineering attacks and high-profile breaches.

How Their Attacks Work

Once a voice phishing call gets a password reset or MFA change approved by an IT help desk:

1. Initial Access & MFA Bypass:
   • They use the compromised credentials to enter networks.
   • SLH uses advanced techniques like MFA prompt bombing (repeated multifactor prompts until an employee approves one) and SIM swapping to defeat MFA protections.
2. Stealthy Movement & Tools:
   • Attackers blend in using residential proxy networks (like Luminati and OxyLabs) so their connections look like normal user traffic.
   • They employ tunneling tools such as Ngrok, Teleport, and Pinggy, along with free file-sharing services (file.io, gofile.io, mega.nz, transfer.sh) to move around and exfiltrate data without triggering alerts.
3. Reconnaissance & Escalation:
   • In documented breaches, attackers have built virtual machines inside victim environments after initial access to run reconnaissance tools (e.g., Active Directory enumeration).
   • Tools like ADRecon and Microsoft Graph API calls against Azure environments have been used to map systems and escalate privileges.
4. Data Theft & Post-Exploitation:
   • SLH has been observed extracting data, including Outlook mailbox files and files from cloud platforms like Snowflake.
   • Some breaches have later evolved into ransomware deployments once the attackers had broad access.

Broader Modus Operandi

• In recent analysis, cybersecurity firm ReliaQuest noted that parts of the collective — especially ShinyHunters — might be shifting to branded subdomain impersonation combined with adversary-in-the-middle (AiTM) phishing tied to live phone pretexts.
• This includes registering domains like “<organization>.sso-verify[.]com” to get users to submit credentials in real time.
• There’s evidence they may be reusing exposed SaaS credentials to build convincing pretexts and automate access, allowing them to compromise identities quickly without deploying malware.
• ReliaQuest also reported that ShinyHunters refers to this expanded operation as the “SLH Operations Centre”, outsourcing scripted vishing and even harassment tasks to scale attacks efficiently.

What Organizations Should Do

Because human deception is now a key entry point:

• Train help desk and support staff to recognize polished scripts and convincing voice impersonation.
• Enforce strict identity verification, such as out-of-band checks or secondary confirmations, before doing password or MFA resets.
• Harden MFA by moving away from SMS-based methods toward stronger, phishing-resistant options like hardware security keys.
• Audit logs after help desk interactions for unexpected account creations or privilege escalations.