Do Son 
High-level chain of events in the attack | Image: Unit 42
A new investigation by Unit 42 has pulled back the curtain on the operations of Muddled Libra, the cybercrime group also known as Scattered Spider or UNC3944. In a report detailing a September 2025 incident, researchers discovered a “rogue” virtual machine (VM) that served as the group’s operational base inside a victim’s network, revealing a playbook that relies less on zero-day exploits and more on exploiting human trust and basic architecture.
The attack began not with a complex technical hack, but with social engineering. Muddled Libra is notorious for targeting help desks and call centers to gain initial access. Once inside the target’s VMware vSphere environment, they didn’t deploy custom malware immediately. Instead, they simply created their own computer.
“Muddled Libra created the VM after the group successfully gained unauthorized access to the target’s VMware vSphere environment,” the report explains.
This single rogue VM became their forward operating base. From this beachhead, they could download tools, establish persistence, and launch attacks deeper into the network, all while appearing as just another machine in the data center.
The analysis of the VM’s contents offers a rare glimpse into the group’s toolkit. Rather than exotic cyberweapons, Muddled Libra used standard administrative utilities to conduct their operations.
- Reconnaissance: They used built-in commands to map the network.
- Persistence: They established a Command and Control (C2) channel to maintain access even if passwords were changed.
- Data Theft: They were observed “copying files from the rogue VM to the target’s domain controller (DC)” and interacting with the target’s Snowflake cloud infrastructure.
The simplicity is the point. “Intrusion operations Muddled Libra conducts have affected the business operations of many organizations across the globe. This is not because they use advanced malware or novel exploits, but because they exploit the weakest link: humans,” Unit 42 researchers noted.
“While Muddled Libra’s tactics may appear simple, their effectiveness reminds us that cybersecurity resilience begins not with complexity, but with vigilance, visibility and disciplined access management,” the report concludes.
To fight back, Unit 42 recommends a defense-in-depth strategy focused on “protecting identity, maintaining least-privileged access, and detecting living-off-the-land behaviors”.
Related Posts:
- Muddled Libra Threat Group: A Formidable Threat to the Modern Enterprise
- “Muddled Libra” Hackers Shift Focus to Cloud and SaaS Attacks
- Muddling Malspam: Unveiling the Use of Spoofed Domains in Malicious Spam Campaigns
- New Phishing Campaigns from Scattered Spider Target Finance and Insurance Industries
- Hacker Alliance Demands Ransom: Scattered LAPSUS$ Hunters Claim 1 Billion Records Stolen from Salesforce
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
