The going rate to compromise a Fortune 500 company’s entire network is now a thousand dollars and a phone script.
That’s the economic reality exposed in a new threat brief documenting how the cybercrime collective known as Scattered LAPSUS$ Hunters (SLH) is actively recruiting women to conduct voice phishing attacks against corporate IT help desks — paying between $500 and $1,000 upfront per call, complete with pre-written scripts designed to manipulate support staff into resetting passwords or installing remote access tools.
The strategy is deliberate and coldly calculated. Threat intelligence firm Dataminr assessed that SLH is “diversifying its social engineering pool by specifically recruiting women to conduct vishing attacks, likely to increase the success rate of help desk impersonation.” The logic is simple and troubling: IT help desk staff are typically trained to flag certain behavioral profiles. Female voices fall outside that narrow mental model. By recruiting around that bias, SLH effectively turns an organization’s own training assumptions into a vulnerability.
SLH is no ordinary criminal outfit. The supergroup comprises LAPSUS$, Scattered Spider, and ShinyHunters — each with documented histories of breaching major organizations through psychological manipulation rather than technical exploits. Their toolkit bypasses multi-factor authentication through MFA prompt bombing and SIM swapping. They impersonate employees convincingly enough to get help desks to hand over access or install remote monitoring and management tools. Once inside, they move laterally into virtualized environments, escalate privileges, vacuum up sensitive corporate data, and in some cases deploy ransomware.
They also know how to disappear inside a network. The group routinely uses legitimate services — file-sharing platforms like mega.nz, gofile.io, and transfer.sh — alongside residential proxy networks including Luminati and OxyLabs to blend in with normal traffic. Tunneling tools like Ngrok and Pinggy further obscure their movements. Palo Alto Networks Unit 42, tracking this actor under the name Muddled Libra, confirmed in a September 2025 investigation that Scattered Spider called an IT help desk, obtained privileged credentials, then spun up a virtual machine to conduct Active Directory enumeration and attempt to exfiltrate Outlook mailbox files and Snowflake database records. “They operate quietly and maintain persistence,” Unit 42 noted.
The group’s affinity for Microsoft Azure environments adds another layer of exposure. Using the Graph API, SLH actors systematically enumerate cloud resources, with tools like ADRecon accelerating their reconnaissance inside Active Directory. The combination of legitimate-looking access methods and methodical cloud exploitation makes detection exceptionally difficult once a foothold is established.
More Read
The evolution doesn’t stop at voice recruitment. In a February 2026 analysis, ReliaQuest documented what appears to be the ShinyHunters faction shifting toward branded subdomain impersonation, registering domains in the pattern of `
What makes SLH genuinely dangerous isn’t any single technique — it’s the system. The group iterates. It recruits. It conducts market research on its victims using their own leaked data. Dataminr described the female recruitment drive as “a calculated evolution in SLH’s tactics,” one specifically engineered to defeat training programs that assume a narrower threat profile.
Organizations should enforce strict identity verification protocols independent of voice recognition, harden MFA policies by retiring SMS-based authentication, and treat every post-help-desk-interaction log as a potential compromise indicator — because in SLH’s playbook, the phone call isn’t the attack. It’s the door.
Source: Original reporting
