SLH's Strategic Shift: Recruiting Women for Targeted Vishing Attacks in 2026
Executive Summary
In February 2026, the cybercrime collective Scattered LAPSUS$ Hunters (SLH) initiated a campaign to recruit women for voice phishing (vishing) attacks targeting IT help desks. Offering financial incentives of $500 to $1,000 per call and providing pre-written scripts, SLH aims to enhance the effectiveness of their social engineering tactics by leveraging female voices to impersonate employees. This strategy is designed to manipulate help desk personnel into resetting passwords or installing remote monitoring tools, thereby granting unauthorized access to corporate networks. (dataminr.com)
This development underscores a significant evolution in cybercriminal methodologies, highlighting the increasing sophistication of social engineering attacks. Organizations must recognize the heightened risk posed by such targeted vishing campaigns and implement robust security measures to mitigate potential breaches.
Why This Matters Now
The recruitment of women for vishing attacks by SLH represents a calculated shift in cybercriminal tactics, aiming to exploit perceived trust associated with female voices to bypass security protocols. This trend necessitates immediate attention to bolster defenses against advanced social engineering threats.
Attack Path Analysis
The Scattered LAPSUS$ Hunters (SLH) initiated their attack by recruiting women to perform vishing calls targeting IT help desks, successfully obtaining valid credentials. Utilizing these credentials, they escalated privileges within the network, gaining administrative access. They then moved laterally across the organization's virtualized environments, conducting reconnaissance and accessing sensitive data. Establishing command and control, they used legitimate services and residential proxy networks to evade detection. Subsequently, they exfiltrated sensitive corporate data, including Outlook mailbox files and Snowflake database contents. Finally, they deployed ransomware, disrupting business operations and demanding ransom payments.
Kill Chain Progression
Initial Compromise
Description
SLH recruited women to perform vishing calls targeting IT help desks, successfully obtaining valid credentials.
MITRE ATT&CK® Techniques
Phishing
Phishing for Information
Valid Accounts
Domain Accounts
Local Accounts
Cloud Accounts
Default Accounts
Application Accounts
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security Awareness Training
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Training and Monitoring
Control ID: 500.14
DORA – ICT Risk Management Framework
Control ID: Article 13
CISA ZTMM 2.0 – Identity Verification and Authentication
Control ID: Identity Pillar
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Information Technology/IT
Primary target of SLH vishing campaigns targeting IT help desks with female social engineers, requiring enhanced identity verification and MFA hardening protocols.
Financial Services
High-value target vulnerable to social engineering attacks bypassing MFA through help desk manipulation, risking privileged credential compromise and data exfiltration.
Health Care / Life Sciences
Critical HIPAA compliance exposure through social engineering attacks targeting help desks, with encrypted traffic monitoring and egress security essential defenses.
Telecommunications
Infrastructure sector at risk from SIM swapping and social engineering tactics, requiring zero trust segmentation and enhanced east-west traffic security measures.
Sources
- SLH Offers $500–$1,000 Per Call to Recruit Women for IT Help Desk Vishing Attackshttps://thehackernews.com/2026/02/slh-offers-5001000-per-call-to-recruit.htmlVerified
- Scattered Lapsus$ Hunters Recruiting Women for Operationshttps://www.dataminr.com/resources/intel-brief/slh-recruiting-women-for-vishing/Verified
- Scattered LAPSUS$ Hunters: 2025's Most Dangerous Cybercrime Supergrouphttps://www.picussecurity.com/resource/blog/scattered-lapsus-hunters-2025s-most-dangerous-cybercrime-supergroupVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's lateral movement and data exfiltration, thereby reducing the overall impact.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The CNSF may have limited the attacker's ability to exploit compromised credentials by enforcing strict access controls.
Control: Zero Trust Segmentation
Mitigation: Zero Trust Segmentation would likely have constrained the attacker's ability to escalate privileges by limiting access to sensitive systems.
Control: East-West Traffic Security
Mitigation: East-West Traffic Security may have reduced the attacker's ability to move laterally by monitoring and controlling internal traffic.
Control: Multicloud Visibility & Control
Mitigation: Multicloud Visibility & Control would likely have constrained the attacker's command and control channels by providing comprehensive monitoring.
Control: Egress Security & Policy Enforcement
Mitigation: Egress Security & Policy Enforcement may have limited the attacker's ability to exfiltrate data by controlling outbound traffic.
While the CNSF may not have prevented the initial ransomware deployment, it could have reduced the blast radius by containing the spread.
Impact at a Glance
Affected Business Functions
- IT Help Desk Operations
- User Account Management
- Access Control Systems
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of sensitive corporate data, including employee credentials and customer information.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to enforce least privilege access and limit lateral movement within the network.
- • Enhance East-West Traffic Security to monitor and control internal traffic, detecting unauthorized movements.
- • Deploy Egress Security & Policy Enforcement to restrict unauthorized data exfiltration and command and control communications.
- • Utilize Threat Detection & Anomaly Response systems to identify and respond to unusual activities promptly.
- • Conduct regular security awareness training for employees to recognize and report social engineering attempts.
