A Unit 42 investigation has pulled back the curtain on Muddled Libra, the cybercrime group also known as Scattered Spider or UNC3944, detailing a September 2025 incident. The report describes a rogue virtual machine inside a victim’s network that served as the group’s forward operating base after gaining unauthorized access to a VMware vSphere environment.
Rather than deploying exotic malware, the operation relied on social engineering to reach the target and on deceptive use of a legitimate-looking VM, which allowed the attackers to download tools, establish persistence, and move deeper into the network.
The analysis shows the rogue VM was used to map the network with built-in commands, maintain access through a C2 channel, and facilitate data theft by copying files from the rogue VM to the target’s domain controller and interacting with Snowflake cloud infrastructure. The article emphasises that the group’s success stems from exploiting humans rather than novel exploits, and recommends a defence-in-depth approach focused on identity protection, least-privileged access, and detecting living-off-the-land behaviours.