New Insights into Muddled Libra’s Intrusion Tactics
In September 2025, Unit 42 identified a rogue virtual machine (VM) utilized by the cybercrime group Muddled Libra (also known as Scattered Spider, UNC3944) during an incident response investigation. The group exploited a target’s VMware vSphere environment to carry out a sophisticated attack, demonstrating their attack methods and revealing operational behaviors.
Muddled Libra employs a variety of social engineering techniques, such as vishing and smishing, to infiltrate organizations, often targeting call centers and third-party service providers. Their methods largely avoid using malware, instead using legitimate credentials and tools against targets. Once inside, they created a VM for persistent access, which they used for reconnaissance, downloading tools, and exploiting the compromised environment to interact with sensitive infrastructures, including Snowflake databases.
The attackers established persistence through an SSH tunnel and began their lateral movement within the network, collecting sensitive information from the domain controller and utilizing various tools to enumerate Active Directory details. Throughout the attack, they attempted to exfiltrate data but faced obstacles from security measures in place.
Why this matters: The Muddled Libra incident highlights the continuous risk organizations face from socially engineered attacks that exploit human vulnerabilities rather than technology weaknesses. It underscores the need for strengthened identity security and rigorous access controls, as human behavior remains the weakest link in cybersecurity.
To mitigate risks, organizations should implement threat intelligence to anticipate attack vectors, employ Security Information and Event Management (SIEM) systems to monitor unusual activity, and enforce strong access controls, particularly concerning administrative tools and cloud services.
Indicators of Compromise:
- IPs:
- 162.125.3.18 (associated with Dropbox)
- 104.16.100.29 (associated with Dropbox)
- Domains:
- upload.ee
- uploadnow.io
- limewire.com
- s3browser.com
- File Names and Hashes:
- psexec.exe – SHA256: 078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b
- chisel.exe – SHA256: 996e68f2fe1c8bb091f34e9bf39fd34d95c3e21508def1f54098a1874bfb825e
- s3browser-12-6-1.exe – SHA256: 6784e652f304bf8e43b42c29ad8dd146dd384fa9536b9c6640dfbc370c3e78de
- ADExplorer64.exe – SHA256: e451287843b3927c6046eaabd3e22b929bc1f445eec23a73b1398b115d02e4fb
- goon.zip – SHA256: 088f2aced9ed60c2ce853b065f57691403459e1e0d167891d6849e1b58228173
- OfficeSetup.exe – SHA256: 6e2c39d0c00a6a8eef33f9670f941a88c957d3c1e9496392beedc98af14269a2
