Executive Summary
During a September 2025 incident response investigation, Unit 42 discovered a rogue virtual machine (VM) which we believe with high confidence to be used by the cybercrime group Muddled Libra (aka Scattered Spider, UNC3944). The contents of this rogue VM and activity from the attack provide valuable insight into the operational playbook of this threat actor. This article provides a detailed analysis of our observations to shed further light on the threat actor’s tactics, techniques and procedures (TTPs).
Technical Analysis:
Muddled Libra created the VM after the group successfully gained unauthorized access to the target’s VMware vSphere environment. Activities during the attack include:
- Performing reconnaissance
- Downloading tools
- Establishing persistence via a command and control (C2) channel
- Using stolen certificates
- Copying files from the rogue VM to the target’s domain controller (DC)
- Interacting with the target’s Snowflake infrastructure
The following image depicts the full chain of events we uncovered as part of our investigation:
Retail and Hospitality Perspective:
Muddled Libra wrecked havoc on retail organizations in the early half of 2025 via their partnership with the operators of DragonForce ransomware, with the UK’s Cyber Monitoring Centre estimating that attacks targeting several UK retailers may have resulted in a total financial impact of £270–440 million ($362-591 million). This is likely due to factors such as loss revenue and profits as a result of operational disruption, in addition to recovery costs.
In the second half of 2025 through early 2026, the threat actors seemingly joined forces with other cybercriminals to form the Scattered LAPSUS$ Hunters alliance and focused on conducting data theft and extortion operations targeting SaaS platforms without the use of ransomware. Retail and hospitality organizations were impacted by this activity and it represented a notable shift in the threat actors’ willingness to evolve their monetization tactic, which primarily hinged on victims paying to avoid data leakage and potential loss of consumer trust
The usage of rogue VMs by cybercriminals to accomplish objectives across different phases of the kill chain is a growing trend, especially for threat groups known to target retail and hospitality organizations, such as Atlas Lion.
While it appears the threat actors may be taking a hiatus from their intrusion operations based on Unit 42’s analysis of recent Telegram messages, RH-ISAC members should maintain heightened awareness of this threat activity throughout 2026 and work with peer institutions to “say something when you see something.”
Indicators of Compromise:
https://unit42.paloaltonetworks.com/muddled-libra-ops-playbook/
