Cybercrime’s New Voice: SLH Pays Top Dollar to Recruit Women for High-Stakes IT Help Desk Scams

It’s a chilling twist in the evolution of cybercrime: the Scattered LAPSUS$ Hunters (SLH), a supergroup infamous for sophisticated social engineering, are now seeking women to become the new faces - and voices - of their latest wave of attacks. With cash offers of up to $1,000 per call and pre-written scripts in hand, these cybercriminals are betting that a woman's voice is the key to unlocking corporate secrets that even the most hardened defenses can’t withstand.

The strategy is as simple as it is devious: by recruiting women - who may sound less suspicious to IT support staff trained to spot the “usual suspects” - SLH aims to supercharge the success of their vishing campaigns. These attacks hinge on impersonation, with threat actors calling help desks and posing as employees in distress, requesting password resets or installation of remote monitoring tools. The endgame? Gaining privileged access to corporate networks, often without tripping alarms.

According to cybersecurity analysts at Dataminr and Palo Alto Networks’ Unit 42, this calculated move marks a significant shift in cybercriminal tactics. SLH is known for exploiting human weakness, bypassing multi-factor authentication (MFA) through prompt bombing and SIM swapping, and targeting cloud environments like Microsoft Azure using advanced reconnaissance tools. Their attacks don’t stop at initial access: once inside, they escalate privileges, move laterally across virtualized environments, and siphon off sensitive data - sometimes unleashing ransomware as a final blow.

What makes SLH especially dangerous is their use of legitimate infrastructure. By deploying popular tunneling tools (Ngrok, Teleport, Pinggy) and file-sharing services (file.io, mega.nz), they camouflage their operations within everyday network traffic. Residential proxy networks like Luminati and OxyLabs further obscure their real origins, making detection a significant challenge for defenders.

Experts warn that traditional defenses are no longer enough. With attackers now wielding sophisticated social engineering scripts and leveraging psychological profiling, organizations must focus on robust identity verification, hardening MFA policies beyond SMS, and training support staff to spot red flags - regardless of the caller’s gender or apparent legitimacy. Vigilance, logging, and a healthy dose of skepticism at the help desk may be the only lines of defense left.

As the cybercrime landscape evolves, so do the methods - and the faces - of those behind it. SLH’s recruitment drive is a stark reminder: in the war for corporate data, the human element is both the greatest vulnerability and the last hope for defense.

WIKICROOK

• Vishing: Vishing is a phone scam where attackers impersonate trusted entities to steal sensitive information or money through deceptive calls.
• Multi: Multi refers to using a combination of different technologies or systems - like LEO and GEO satellites - to improve reliability, coverage, and security.
• Privilege Escalation: Privilege escalation occurs when an attacker gains higher-level access, moving from a regular user account to administrator privileges on a system or network.
• Residential Proxy Network: A residential proxy network routes traffic through real users’ devices to mask activity origins, often without users’ knowledge, raising privacy concerns.
• SIM Swapping: SIM Swapping is a scam where criminals trick phone companies into transferring your number to their device, letting them access your calls and texts.