Security researchers uncovered a large phishing operation linked to Scattered Lapsus Hunters, a threat group that registered more than 40 fake domains. These lookalike sites imitate major tech companies and aim to harvest credentials from employees and consumers. The discovery highlights the growing sophistication behind phishing campaigns that exploit brand trust and corporate identity.
How the Campaign Works
Researchers from Unit 42 examined the infrastructure tied to Scattered Lapsus Hunters. They identified dozens of domains that mimic login environments used by leading global platforms. The group relies on precise visual cloning to mislead targets and collect sensitive account data.
Targets include some of the most widely used digital services:
- Microsoft
- Amazon
- Adobe
- Zoom
Each cloned page attempts to look authentic enough that users enter login credentials without hesitation.
Registration Strategy Behind the 40 Domains
Scattered Lapsus Hunters use a broad mix of top-level domains to avoid patterns. Many malicious sites rely on extensions such as .shop, .online, .support, and .info. These choices help attackers create URLs that appear credible during quick scans by unsuspecting victims.
The group also uses:
- Typosquatting
- Brand impersonation
- Slight domain alterations
- Login-themed wording such as “support”, “reset”, or “verify”
This structure gives the attackers a flexible system that can adapt during ongoing phishing activity.
Why Scattered Lapsus Hunters Pose a Growing Risk
The campaign signals an increasingly organized effort to gather corporate credentials. Attackers aim to compromise accounts used within enterprise environments. They focus on login platforms that provide access to cloud systems, collaboration tools, and administrative dashboards.
Stolen credentials can enable:
- Internal system access
- Lateral movement inside corporate networks
- Data theft
- Business email compromise
- Identity fraud
Researchers believe the group may also sell harvested credentials to other criminal actors.
Research Findings from Unit 42
Unit 42 reports that many cloned pages replicate real corporate layouts with alarming accuracy. Logos, design elements, and interface structures mirror authentic portals. The group also registers domains in quick bursts, suggesting an automated setup pipeline.
Investigators found no evidence of direct breaches linked to these domains yet. However, the campaign appears active and expanding.
How Organizations Can Respond
Security teams can reduce exposure through several measures:
- Monitor domain registrations for brand abuse
- Require MFA for all corporate logins
- Train employees to inspect URLs during authentication
- Block access to known malicious domains
- Use automated alerts for suspicious login attempts
These steps help limit the impact of large phishing operations that rely on brand impersonation.
Final Thoughts
Scattered Lapsus Hunters demonstrate how quickly phishing groups expand their infrastructure. Their move to register more than 40 lookalike domains shows a clear intent to steal credentials from users who trust major tech brands. Organizations that strengthen authentication processes and monitor domain misuse place themselves in a stronger position against similar campaigns.
