{ "id": "472446a1-e86e-42c3-92e8-37e24818c33e", "created_at": "2026-04-06T00:22:17.532952Z", "updated_at": "2026-04-10T03:35:53.30247Z", "deleted_at": null, "sha1_hash": "bd953ccafe556cf1f287d4d65d58e793e147d269", "title": "Muddled Libra Threat Assessment: Further-Reaching, Faster, More Impactful", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 821150, "plain_text": "Muddled Libra Threat Assessment: Further-Reaching, Faster,\r\nMore Impactful\r\nBy Unit 42\r\nPublished: 2025-07-25 · Archived: 2026-04-05 18:03:16 UTC\r\nExecutive Summary\r\nUnit 42 has tracked and responded to several waves of intrusion operations conducted by the cybercrime group we\r\ntrack as Muddled Libra (aka Scattered Spider, UNC3944) across different sectors in recent months. This article\r\ncontains observations on Muddled Libra thus far in 2025 based on our incident response insights. We share\r\ndefensive recommendations that we have seen organizations use successfully against the threat. We also include\r\nwhat’s likely next for this prolific adversary.\r\nMuddled Libra’s recent activity follows a series of international law enforcement operations aimed at disrupting\r\nthe threat group in mid-to-late 2024, including federal charges levied against five suspected members in\r\nNovember 2024. Since that time, Muddled Libra returned with enhanced capabilities, evolving its tradecraft to be\r\nfurther-reaching, faster and more impactful.\r\nPalo Alto Networks customers are better protected from the threats described in this article through a modern\r\nsecurity architecture built around Cortex XSIAM in concert with Cortex XDR. The Advanced URL Filtering and\r\nDNS Security Cloud-Delivered Security Services can help protect against command and control (C2)\r\ninfrastructure, while App-ID can limit anonymization services allowed to connect to the network.\r\nIf you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response\r\nteam.\r\nMuddled Libra Threat Overview\r\nAs documented in prior Unit 42 publications on Muddled Libra, this group is highly adept at using various social\r\nengineering tactics (e.g., smishing, vishing) to gain initial access to targeted organizations. These activities can\r\ninclude targeting call centers operated by victims, as well as those outsourced to third-party firms (e.g., BPOs,\r\nMSPs), expanding the group's range of potential targets.\r\nAttackers from Muddled Libra have become experts at exploiting human psychology via impersonating\r\nemployees to attempt password and multi-factor authentication (MFA) resets. Figure 1 below further illustrates the\r\ncomposition of Muddled Libra in terms of their demographics, tradecraft, victim targeting and actions on\r\nobjectives.\r\nhttps://unit42.paloaltonetworks.com/muddled-libra/#post-128741-_rfqbe8ejs15o\r\nPage 1 of 8\n\nFigure 1. Muddled Libra threat profile.\r\nWhile their tradecraft has evolved over time, Muddled Libra continues to minimize the use of malware throughout\r\nthe attack chain. Whenever possible, they prefer to use a victim’s own assets against them.\r\nVictimology Timeline: Further-Reaching\r\nIn 2025, we have observed Muddled Libra intrusion activity in the government, retail, insurance and aviation\r\nsectors as shown below in Figure 2. This group has demonstrated a pattern of targeting multiple organizations\r\nwithin the same sector in a relatively short period of time. However, attackers do not strictly follow this pattern\r\nand have simultaneously targeted organizations operating in different sectors.\r\nFigure 2. Timeline of Muddled Libra sector targeting in 2025.\r\nMuddled Libra’s Game Plan: Faster\r\nThus far in 2025 cases, the shift away from smishing and phishing to more direct human interaction, as well as\r\nadoption of the ransomware-as-a-service (RaaS) playbook, have drastically shortened the time this actor is in an\r\nhttps://unit42.paloaltonetworks.com/muddled-libra/#post-128741-_rfqbe8ejs15o\r\nPage 2 of 8\n\nenvironment. The average time from initial access to containment was 1 day, 8 hours and 43 minutes.\r\nSince at least April 2025, the group has partnered with the DragonForce RaaS program, operated by the group we\r\ntrack as Slippery Scorpius, to extort victims. In one case, we observed attackers exfiltrating over 100 GB of data\r\nduring a two-day period, with encryption via DragonForce ransomware deployment.\r\nFigure 3 below illustrates how the group was able to pivot from initial access via social engineering a helpdesk\r\nemployee, to escalating privileges, to domain administrator rights in about 40 minutes, as previously noted in our\r\n2025 Global Incident Response Report.\r\nFigure 3. Speed of Muddled Libra intrusion from initial access to domain admin.\r\nEvolution of Muddled Libra: More Impactful\r\nFigure 4 illustrates changes we have observed in Muddled Libra’s tradecraft that help make the group more\r\nimpactful.\r\nhttps://unit42.paloaltonetworks.com/muddled-libra/#post-128741-_rfqbe8ejs15o\r\nPage 3 of 8\n\nFigure 4. Muddled Libra tradecraft evolution.\r\nSome of our notable observations are detailed in the sections below.\r\nInitial access\r\nhttps://unit42.paloaltonetworks.com/muddled-libra/#post-128741-_rfqbe8ejs15o\r\nPage 4 of 8\n\n(T1566.004)\r\nShift to voice-based phishing (aka vishing) as a primary social engineering technique to manipulate IT help desk\r\npersonnel into resetting credentials and MFA for staff that attackers are attempting to impersonate; over 70% of\r\nthe numbers used by this group in 2025 leveraged Google Voice as a Voice Over Internet Protocol (VoIP) service.\r\nAs an example, Muddled Libra typically calls into an organization’s help desk pretending to be a user that has lost\r\naccess to their MFA device. By preying on help desk associates' natural tendency to want to be helpful, the threat\r\nactors manipulate them into bypassing organizational authentication controls and resetting both an end user’s\r\ncredentials and MFA method. Another example involves calling a victim directly while claiming to be from the\r\norganization’s help desk. In this case, the threat actors manipulate the victim into launching or downloading\r\nremote management software and then proceed with the attack from the victim’s desktop.\r\nPersistence and Lateral Movement\r\nUsing various remote monitoring and management (RMM) tools that enable re-entry if the threat actors are\r\ndiscovered. Frequent targeting of existing systems management tools and even endpoint detection and response\r\n(EDR) platforms, in addition to hypervisors and cloud management tools.\r\nCredential Access\r\n(T1003.003, T1555.005)\r\nDumping credentials from password vaults including NTDS.dit to achieve full enterprise password stores and\r\nActive Directory compromise, respectively.\r\nCollection\r\n(T1114.002, T1213.002)\r\nAccessing victim Microsoft 365 and SharePoint instances as a means of conducting internal reconnaissance.\r\nExfiltration\r\n(T1567.002)\r\nTransferring stolen data to cloud storage services, including in some cases being sent directly from victims’\r\nenvironments.\r\nA Tale of Two Victims: Conditional Access Policies\r\nOrganizations using Microsoft Entra ID for cloud-based identity and access management (IAM) can significantly\r\ndisrupt Muddled Libra intrusions by properly implementing Conditional Access Policies (CAPs).\r\nAs part of Muddled Libra threat activity, we’ve seen a significant difference in organizations’ ability to slow down\r\nattackers post-intrusion and enable more effective containment actions when CAPs are in place, limiting overall\r\nimpact. In scenarios where victims had not implemented CAPs or they were configured improperly, Muddled\r\nhttps://unit42.paloaltonetworks.com/muddled-libra/#post-128741-_rfqbe8ejs15o\r\nPage 5 of 8\n\nLibra could accelerate its operational tempo to deploy ransomware (most recently DragonForce) to extort\r\npayment.\r\nSome specific examples of CAPs that were successful in slowing down Muddled Libra include:\r\nA CAP that prevents unmanaged devices from accessing sensitive resources\r\nA CAP that enforces employees being on-premises to set up MFA\r\nA CAP that blocks authenticators based on geographic locations (e.g., countries)\r\nA CAP that requires MFA to access virtual desktop infrastructure (VDI) and/or virtual private networks\r\n(VPN)\r\nLooking Ahead\r\nBased on recent and historical observations of Muddled Libra, we assess with high confidence that this group will\r\ncontinue to play to its strengths in terms of social engineering activities. The group will also continue misusing\r\noverly permissive identities within targeted organizations to accomplish its mission objectives.\r\nAdditionally, the group is likely to persist in its cloud-first mindset. This means that its prior success in exploiting\r\naccess within cloud platforms will embolden this trend going forward, especially because many organizations lack\r\nproper visibility and necessary controls to monitor and protect these environments.\r\nFurthermore, given Muddled Libra’s success in partnering with various RaaS programs, it is unlikely to deviate\r\nfrom this path. These RaaS programs include:\r\nAkira (Howling Scorpius)\r\nALPHV (Ambitious Scorpius)\r\nDragonForce (Slippery Scorpius)\r\nPlay (Fiddling Scorpius)\r\nQilin (Spikey Scorpius)\r\nRansomHub (Spoiled Scorpius)\r\nMembers of this group will likely continue to extort victims and monetize their intrusion operations, as it provides\r\na streamlined process to conduct and profit from such attacks.\r\nFinally, we expect that public and private sector information-sharing concerning Muddled Libra will continue to\r\nprovide organizations with early indications of intrusion activity. This will help disrupt the group's operations.\r\nInternational law enforcement operations, such as the recent arrests of four individuals connected to the\r\ncyberattacks against three UK-based retailers, will hopefully act as a form of deterrence. It should also remind\r\nsimilar cybercrime syndicates that there are consequences for their actions. At its core, cybersecurity is a team\r\nsport and we must work collectively to gain a proactive operational advantage against this ever-evolving\r\nadversary.\r\nRecommendations\r\nWe have a list of prevention, detection and containment measures that organizations should strongly consider\r\nimplementing to address the evolving threat presented by Muddled Libra. Figure 5 below provides a macro view\r\nhttps://unit42.paloaltonetworks.com/muddled-libra/#post-128741-_rfqbe8ejs15o\r\nPage 6 of 8\n\nof these recommendations, with more descriptive measures listed thereafter.\r\nFigure 5. Effective controls to defend against Muddled Libra.\r\nPrevention:\r\nProvide tailored, intelligence-driven user awareness training, especially for IT support desk personnel to be\r\nable to identify potential social engineering (vishing) attempts\r\nImplement rigorous procedures for resetting account credentials and MFA, including some form of\r\nverification such as video identification or supervisor validation\r\nImplement MFA (non-SMS) and conditional access policies, especially on any remote access portals\r\nStrictly enforce the principle of least privilege\r\nBlock network traffic by App-ID to file-sharing sites and those providing access to unapproved RMM tools\r\nDetection:\r\nIdentify changes to enterprise IAM infrastructure, such as newly enrolled and connected devices\r\nDevelop robust logging and monitoring capabilities in cloud environments\r\nDevelop logging of and be able to identify suspicious call center activities\r\nContainment:\r\nSegment and restrict access to virtual resources, including VMs, ESXi hosts and vCenter servers\r\nhttps://unit42.paloaltonetworks.com/muddled-libra/#post-128741-_rfqbe8ejs15o\r\nPage 7 of 8\n\nImplement out-of-band communication channels in case an adversary is able to compromise traditional\r\nmediums (e.g., Slack, Teams)\r\nImplement a comprehensive incident response plan and strongly consider having an active retainer in place\r\nfor third-party incident response support\r\nConclusion\r\nThe new era of Muddled Libra has arrived, and activity from this group continues to proliferate.\r\nPalo Alto Networks customers are better protected from the threats described in this article through a modern\r\nsecurity architecture built around Cortex XSIAM in concert with Cortex XDR. The Advanced URL Filtering and\r\nDNS Security Cloud-Delivered Security Services can help protect against command and control (C2)\r\ninfrastructure, while App-ID can limit anonymization services allowed to connect to the network.\r\nIf you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)\r\nUK: +44.20.3743.3660\r\nEurope and Middle East: +31.20.299.3130\r\nAsia: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nAustralia: +61.2.4062.7950\r\nIndia: 00080005045107`\r\nPalo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA\r\nmembers use this intelligence to rapidly deploy protections to their customers and to systematically disrupt\r\nmalicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nAdditional References\r\nThreat Briefing: A Deep Dive Into Muddled Libra - Unit 42, Palo Alto Networks\r\nThreat Group Assessment: Muddled Libra - Unit 42, Palo Alto Networks\r\n2025 Global Incident Response Report - Unit 42, Palo Alto Networks\r\nMuddled Libra Discussion With Unit 42 Senior Consultant Stephanie Regan – Threat Vector Podcast, Unit\r\n42 on CyberWire Daily\r\nExposing Muddled Libra's Meticulous Tactics With Unit 42 Senior Researcher Kristopher Russo – Threat\r\nVector Podcast, Unit 42 on CyberWire Daily\r\nMuddled Libra's Evolution to the Cloud – Unit 42, Palo Alto Networks\r\nScattered Spider – Cybersecurity Advisory, Critical Infrastructure Security and Resilience (CISA)\r\nSource: https://unit42.paloaltonetworks.com/muddled-libra/#post-128741-_rfqbe8ejs15o\r\nhttps://unit42.paloaltonetworks.com/muddled-libra/#post-128741-_rfqbe8ejs15o\r\nPage 8 of 8\n\n https://unit42.paloaltonetworks.com/muddled-libra/#post-128741-_rfqbe8ejs15o \nFigure 4. Muddled Libra tradecraft evolution. \nSome of our notable observations are detailed in the sections below.\nInitial access \n Page 4 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://unit42.paloaltonetworks.com/muddled-libra/#post-128741-_rfqbe8ejs15o" ], "report_names": [ "#post-128741-_rfqbe8ejs15o" ], "threat_actors": [ { "id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312", "created_at": "2024-06-07T02:00:03.998431Z", "updated_at": "2026-04-10T02:00:03.64336Z", "deleted_at": null, "main_name": "RansomHub", "aliases": [], "source_name": "MISPGALAXY:RansomHub", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "6608b798-f92b-42af-a93f-d72800eeb3a3", "created_at": "2023-11-30T02:00:07.292Z", "updated_at": "2026-04-10T02:00:03.482199Z", "deleted_at": null, "main_name": "DragonForce", "aliases": [], "source_name": "MISPGALAXY:DragonForce", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8c8fea8c-c957-4618-99ee-1e188f073a0e", "created_at": "2024-02-02T02:00:04.086766Z", "updated_at": "2026-04-10T02:00:03.563647Z", "deleted_at": null, "main_name": "Storm-1567", "aliases": [ "Akira", "PUNK SPIDER", "GOLD SAHARA" ], "source_name": "MISPGALAXY:Storm-1567", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "843f4240-33a7-4de4-8dcf-4ff9f9a8c758", "created_at": "2025-07-24T02:05:00.538379Z", "updated_at": "2026-04-10T02:00:03.657424Z", "deleted_at": null, "main_name": "GOLD FLAME", "aliases": [ "DragonForce" ], "source_name": "Secureworks:GOLD FLAME", "tools": [ "ADFind", "AnyDesk", "Cobalt Strike", "FileSeek", "Mimikatz", "SoftPerfect Network Scanner", "SystemBC", "socks.exe" ], "source_id": "Secureworks", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84", "created_at": "2024-04-24T02:00:49.516358Z", "updated_at": "2026-04-10T02:00:05.309426Z", "deleted_at": null, "main_name": "Akira", "aliases": [ "Akira", "GOLD SAHARA", "PUNK SPIDER", "Howling Scorpius" ], "source_name": "MITRE:Akira", "tools": [ "Mimikatz", "PsExec", "AdFind", "Akira _v2", "Akira", "Megazord", "LaZagne", "Rclone" ], "source_id": "MITRE", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null }, { "id": "9afb532d-6183-46ed-a638-595c9e49056b", "created_at": "2024-06-19T02:03:08.032166Z", "updated_at": "2026-04-10T02:00:03.700322Z", "deleted_at": null, "main_name": "GOLD ENCORE", "aliases": [ "Balloonfly ", "Fiddling Scorpius " ], "source_name": "Secureworks:GOLD ENCORE", "tools": [ "ADFind", "Bloodhound", "Cobalt Strike", "GMER", "Grixba", "Mimikatz", "Nekto", "Play", "Plink", "PowerTool", "Process Hacker", "PsExec", "SystemBC", "WinRAR", "WinSCP", "Winpeas" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434937, "ts_updated_at": 1775792153, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bd953ccafe556cf1f287d4d65d58e793e147d269.pdf", "text": "https://archive.orkl.eu/bd953ccafe556cf1f287d4d65d58e793e147d269.txt", "img": "https://archive.orkl.eu/bd953ccafe556cf1f287d4d65d58e793e147d269.jpg" } }