• Executive Summary During a September 2025 incident response investigation, Unit 42 discovered a rogue virtual machine (VM) which we believe with high confidence to be used by the cybercrime group Muddled Libra (aka Scattered Spider, UNC3944). • The contents of this rogue VM and activity from the attack provide valuable insight into the operational playbook of this threat actor. • Muddled Libra created the VM after the group successfully gained unauthorized access to the target’s VMware vSphere environment. • Activities during the attack include: - Performing reconnaissance - Downloading tools - Establishing persistence via a command and control (C2) channel - Using stolen certificates - Copying files from the rogue VM to the target’s domain controller (DC) - Interacting with the target’s Snowflake infrastructure Based on the characteristics of the attack, we assess with high confidence that Muddled Libra conducted it. • This article provides a detailed analysis of our observations to shed further light on the threat actor’s tactics, techniques and procedures (TTPs). • Palo Alto Networks are better protected from the threats discussed in this article through the following products and services: If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.

Article Summaries:

  • In September 2025, Palo Alto Networks’ Unit 42 uncovered a rogue virtual machine (VM) created by the cyber‑crime group Muddled Libra (UNC3944). The VM, planted in a victim’s VMware vSphere environment, enabled the attackers to conduct reconnaissance, download tools, establish a command‑and‑control channel, and use stolen certificates for persistence. They also copied files to the target’s domain controller and interacted with the organization’s Snowflake infrastructure. The investigation revealed that Muddled Libra relies on social‑engineering tactics, minimal malware, and the victim’s own assets to evade detection. Unit 42 recommends Palo Alto products for protection and offers incident‑response support.

Sources: