Overview
- Dataminr spotted February 22 Telegram ads offering $500–$1,000 upfront per call, with applicants funneled through a support account and given prewritten scripts.
- Posts indicate the campaign targets corporate IT help desks, where callers impersonate employees to secure password resets or to persuade staff to install remote monitoring tools.
- The recruitment reflects the coalition’s social‑engineering focus, drawing on tactics honed by Lapsus$, Scattered Spider, and ShinyHunters within the English‑speaking cybercrime scene known as The Com.
- Researchers note repeated use of MFA bypass and blending techniques, including SIM swapping, fake SSO pages, MFA prompt bombing, residential proxies, tunneling tools, and free file‑sharing services.
- Security guidance urges immediate help‑desk briefings, strict out‑of‑band identity checks such as video verification, adoption of phishing‑resistant authentication like FIDO2 or passkeys, and prompt auditing after help‑desk actions.