Cybercrime Group SLH Offers $500–$1,000 Per Call to Recruit Women for IT Help Desk Vishing Attacks
The cybercrime collective known as Scattered LAPSUS$ Hunters (SLH) has been observed offering financial incentives to recruit women for social engineering attacks targeting IT help desks. According to a recent threat brief by Dataminr, SLH is offering between $500 and $1,000 upfront per call, providing recruits with pre-written scripts to carry out voice phishing (vishing) campaigns.
SLH is a high-profile cybercrime supergroup comprising LAPSUS$, Scattered Spider, and ShinyHunters. The group has a history of engaging in advanced social engineering attacks to bypass multi-factor authentication (MFA) through techniques like MFA prompt bombing and SIM swapping.
The group’s modus operandi involves targeting help desks and call centers by posing as employees and convincing them to reset passwords or install remote monitoring and management (RMM) tools that grant remote access. Once initial access is obtained, Scattered Spider has been observed moving laterally to virtualized environments, escalating privileges, and exfiltrating sensitive corporate data.
Some of these attacks have led to the deployment of ransomware. Another hallmark of these attacks is the use of legitimate services and residential proxy networks (e.g., Luminati and OxyLabs) to blend in and evade detection. Scattered Spider actors have used various tunneling tools like Ngrok, Teleport, and Pinggy, as well as free file-sharing services such as file.io, gofile.io, mega.nz, and transfer.sh.
In a report published earlier this month, Palo Alto Networks Unit 42, which is tracking Scattered Spider under the moniker Muddled Libra, described the threat actor as highly proficient at exploiting human psychology by impersonating employees to attempt password and multi-factor authentication (MFA) resets.
In at least one case investigated by the cybersecurity company in September 2025, Scattered Spider is said to have created and utilized a virtual machine (VM) after obtaining privileged credentials by calling the IT help desk and then used it to conduct reconnaissance (e.g., Active Directory enumeration) and attempt to exfiltrate Outlook mailbox files and data downloaded from the target’s Snowflake database.
While focusing on identity compromise and social engineering, this threat actor leverages legitimate tools and existing infrastructure to blend in, Unit 42 said. They operate quietly and maintain persistence.
The cybersecurity company also noted that Scattered Spider has an extensive history of targeting Microsoft Azure environments using the Graph API to facilitate access to Azure cloud resources. Also put to use by the group are cloud enumeration tools such as ADRecon for Active Directory reconnaissance.
With social engineering emerging as the primary entry point for the cybercrime group, organizations are advised to be on alert and train IT help desk and support personnel to watch out for pre-written scripts and polished voice impersonation, enforce strict identity verification, harden MFA policies by shifting away from SMS-based authentication, and audit logs for new user creation or administrative privilege escalation following help desk interactions.
This recruitment drive represents a calculated evolution in SLH’s tactics, Dataminr said. By specifically seeking female voices, the group likely aims to bypass the ‘traditional’ profiles of attackers that IT help desk staff may be trained to identify, thereby increasing the effectiveness of their impersonation efforts.
