{ "id": "dbb39f99-1888-48e1-a740-c7b75cdf4e4a", "created_at": "2026-04-06T00:08:41.186155Z", "updated_at": "2026-04-10T03:30:51.89931Z", "deleted_at": null, "sha1_hash": "5f7bc9357dbe5012447ace13319afd851ca82e99", "title": "Muddled Libra: Why Are We So Obsessed With You?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 38833, "plain_text": "Muddled Libra: Why Are We So Obsessed With You?\r\nBy Richard Emerson\r\nPublished: 2025-08-06 · Archived: 2026-04-05 19:12:43 UTC\r\nWhy Do We Talk So Much About Muddled Libra?\r\nMany articles and presentations have covered the tactics, techniques and procedures of the group that Unit 42\r\ntracks as Muddled Libra. Known for social engineering tactics, the group recently attacked organizations in\r\nindustries including government, retail, insurance and aviation. There's an undeniable impact for the group’s\r\nvictims, but I’ve also been pondering why this group seems to receive more media attention than other groups that\r\nalso partner with Ransomware-as-a-Service (RaaS) programs.\r\nThere are other affiliates that heavily target English-speaking countries, and that are just as fast and impactful.\r\nReading Trend 3 of our recent 2025 Unit 42 Global Incident Response Report, for example, there are fast attacks\r\nin incident response cases related to a variety of threat groups.\r\nHere are some thoughts on why Muddled Libra has been a particular focus for the media:\r\nDistinct Playbook, Industry Targeting\r\nEven though Muddled Libra often uses publicly available tools and known techniques, their playbook is pretty\r\nconsistent and their vishing is somewhat unique. This may make it easier to identify this group of hackers across\r\ncases versus other hacking teams. Muddled Libra has also attacked companies in waves by industry, which puts\r\ncompanies in those industries on high alert. It’s one thing to know that your organization may be attacked at any\r\ntime, it’s another to know a specific threat actor is successfully targeting your peers and you may be getting\r\nattacked right now and not even know it. For other intrusions involving a RaaS affiliate, many of these groups\r\nhave such similar techniques that it makes it difficult to differentiate them, and their targeting more opportunistic\r\nacross industries, so there is not as coherent a story to tell.\r\nSuccessful Tactics\r\nJust looking at our cases in 2025 involving this threat actor this year, 50% of cases led to DragonForce\r\nransomware deployment and data exfiltration, showing that Muddled Libra’s attacks are frequently successful.\r\nGranted, we don't know how many calls to Help Desks go nowhere for this group, so it may be harder to measure\r\nthem against their \"peers.\" But the urgency of requests from organizations express palpable fear of Muddled\r\nLibra, as if executives were really worried they simply could not stop this threat actor.\r\nThe Power of Language\r\nThe really differentiating factor for me for this group is the English-speaking fluency that they are able to employ.\r\nIt’s not really possible to screen malicious calls and protect your help desk from ever receiving them. This may\r\nallow Muddled Libra to more surgically pick and choose which targets to go after within a victim environment.\r\nhttps://unit42.paloaltonetworks.com/why-the-focus-on-muddled-libra/\r\nPage 1 of 2\n\nSeeing the success of this language fluency and these social engineering tactics makes me wonder what will\r\nhappen as AI capabilities continue to mature. Could we see every RaaS affiliate gain the capability to act like\r\nMuddled Libra?\r\nStudying the Group Is Key to Defending Against It\r\nAs described in our Muddled Libra Threat Assessment, we’ve seen organizations disrupt Muddled Libra through\r\nproperly implementing Conditional Access Policies. There are many other recommendations that can make a\r\ndifference to stopping or slowing this threat actor. For example, gathering information that can point to suspicious\r\nactivities and intelligently making connections with it (with capabilities such as those of Cortex XSIAM) can help\r\nidentify incidents that need a response.\r\nFocused study of Muddled Libra and sharing information around it helps us all stay aware of the sorts of defenses\r\nthat could make a difference, against this threat actor and many others. Knowing what’s worked for organizations\r\nwho have successfully stopped the group can show all organizations that there is hope for defense, even against\r\npersistent and successful threat actors.\r\nSource: https://unit42.paloaltonetworks.com/why-the-focus-on-muddled-libra/\r\nhttps://unit42.paloaltonetworks.com/why-the-focus-on-muddled-libra/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://unit42.paloaltonetworks.com/why-the-focus-on-muddled-libra/" ], "report_names": [ "why-the-focus-on-muddled-libra" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "6608b798-f92b-42af-a93f-d72800eeb3a3", "created_at": "2023-11-30T02:00:07.292Z", "updated_at": "2026-04-10T02:00:03.482199Z", "deleted_at": null, "main_name": "DragonForce", "aliases": [], "source_name": "MISPGALAXY:DragonForce", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "843f4240-33a7-4de4-8dcf-4ff9f9a8c758", "created_at": "2025-07-24T02:05:00.538379Z", "updated_at": "2026-04-10T02:00:03.657424Z", "deleted_at": null, "main_name": "GOLD FLAME", "aliases": [ "DragonForce" ], "source_name": "Secureworks:GOLD FLAME", "tools": [ "ADFind", "AnyDesk", "Cobalt Strike", "FileSeek", "Mimikatz", "SoftPerfect Network Scanner", "SystemBC", "socks.exe" ], "source_id": "Secureworks", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434121, "ts_updated_at": 1775791851, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5f7bc9357dbe5012447ace13319afd851ca82e99.pdf", "text": "https://archive.orkl.eu/5f7bc9357dbe5012447ace13319afd851ca82e99.txt", "img": "https://archive.orkl.eu/5f7bc9357dbe5012447ace13319afd851ca82e99.jpg" } }