A Peek Into Muddled Libra's Operational Playbook

Muddled Libra also tracked as Scattered Spider and UNC3944 is a financially motivated threat group known for sophisticated social engineering and disciplined hands-on-keyboard operations. In a September 2025 incident documented by Unit 42, the group demonstrated a hallmark of their playbook: after obtaining access to a VMware vSphere environment, they created a rogue virtual machine named "New Virtual Machine" to serve as their operational base. By working entirely within the victim's own hypervisor infrastructure, they avoided deploying traditional malware and made their presence significantly harder to detect.

From the rogue VM, the actors moved with precision. Within minutes of VM creation, they downloaded the Chisel tunneling tool from an attacker-controlled AWS S3 bucket and established an encrypted C2 channel over TCP 443 that persisted for 15 hours. Approximately 15 minutes in, they powered down two virtualized domain controllers via the vSphere portal, then mounted their virtual disk (VMDK) files directly on the rogue VM to extract the NTDS.dit database and SYSTEM registry hive , obtaining all domain credential hashes offline without touching a live DC. ADRecon was executed to fully enumerate the Active Directory environment including forest trusts, site topology, SPNs, and password policy. Lateral movement used RDP and PsExec with compromised domain credentials. The actors also accessed the organization's Snowflake database, targeted Exchange mailboxes, and ultimately used the S3 Browser tool to upload PST files to an attacker-controlled S3 bucket.

Detection is primarily behavioral. The group's deliberate avoidance of novel malware means the strongest signals come from legitimate tools used in unusual contexts: ADRecon PowerShell execution, PsExec service installation events, and high-volume outbound RDP connections are all catchable through EDR telemetry. The vSphere-based DC power-down and disk mounting are rarely monitored but represent high-confidence signals when observed on hypervisor or ESXi logs. Snowflake session anomalies , particularly sessions appearing from an unexpected operating system provide an early indicator of database access from attacker-controlled infrastructure. High-volume email access in Office 365 and large outbound data transfers on firewall logs round out the detection surface across the full attack chain.