SLH Offers $500–$1,000 Per Call to Recruit Women for IT Help Desk Vishing Attacks

Scattered LAPSUS$ Hunters (SLH), a well-known cybercrime collective, has been seen providing financial incentives to recruit women to carry out social engineering attacks. According to a new threat brief from Dataminr, the plan is to employ them for voice phishing campaigns aimed at IT help desks. In addition to giving them the pre-written scripts they need to execute the attack, the group is reportedly offering $500 to $1,000 up front for each call.

According to the threat intelligence firm, "SLH is diversifying its social engineering pool by specifically recruiting women to conduct vishing attacks, likely to increase the success rate of help desk impersonation."

SLH, a well-known cybercrime supergroup that includes ShinyHunters, Scattered Spider, and LAPSUS$, has a history of using sophisticated social engineering tactics to get around multi-factor authentication (MFA), such as SIM swapping and MFA prompt bombing. In order to breach businesses, the group also targets call centers and help desks. They do this by pretending to be employees and persuading them to install a remote monitoring and management (RMM) tool or reset a password.

After gaining initial access, Scattered Spider has been seen to laterally migrate to virtualized environments, increase privileges, and steal confidential company information. Ransomware has also been used as a result of some of these attacks.

The use of residential proxy networks and legitimate services (like Luminati and OxyLabs) to blend in and avoid detection is another characteristic of these attacks. Actors from Scattered Spider have used free file-sharing websites like file.io, gofile.io, mega.nz, and transfer, as well as a variety of tunneling tools like Ngrok, Teleport, and Pinggy.Sh. Palo Alto Networks Unit 42, which is monitoring Scattered Spider under the alias Muddled Libra, described the threat actor as "highly proficient at exploiting human psychology" in a report released earlier this month.

The threat actor attempts password and multi-factor authentication (MFA) resets by posing as employees.

According to at least one instance that the cybersecurity firm looked into in September 2025, Scattered Spider used a virtual machine (VM) to perform reconnaissance (such as Active Directory enumeration) and try to exfiltrate Outlook mailbox files and data downloaded from the target's Snowflake database after obtaining privileged credentials by contacting the IT help desk.This threat actor uses legitimate tools and existing infrastructure to blend in while concentrating on identity compromise and social engineering, according to Unit 42. "They remain persistent and work in silence." The cybersecurity firm added that Scattered Spider has a "long history" of using the Graph API to target Microsoft Azure environments and enable access to Azure cloud resources.

The team also uses cloud enumeration tools, like ADRecon for Active Directory reconnaissance. Organizations are advised to be vigilant and train IT help desk and support staff to be on the lookout for pre-written scripts and polished voice impersonation, enforce stringent identity verification, harden MFA policies by moving away from SMS-based authentication, and audit logs for new user creation or administrative privilege escalation after help desk interactions, as social engineering is becoming the main entry point for the cybercrime group. Dataminr stated, "This recruitment drive represents a calculated evolution in SLH's tactics."

"The group probably hopes to increase the efficacy of their impersonation efforts by avoiding the 'traditional' profiles of attackers that IT help desk staff may be trained to identify by specifically seeking female voices."