{ "id": "e9b3ae66-db3f-41b6-9313-5e2f0238a98f", "created_at": "2026-04-06T00:15:19.336826Z", "updated_at": "2026-04-10T03:31:49.912468Z", "deleted_at": null, "sha1_hash": "f9b3cde51cf6ee6b4323673207e4e6c414cb95f7", "title": "Muddled Libra’s Strike Teams: Amalgamated Evil", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 173144, "plain_text": "Muddled Libra’s Strike Teams: Amalgamated Evil\r\nBy Kristopher Russo\r\nPublished: 2025-08-12 · Archived: 2026-04-05 17:24:55 UTC\r\nMany From One\r\nIt’s disingenuous to consider Muddled Libra like a traditional monolithic attack group, one with defined structure\r\nand clear lines of leadership. Muddled Libra, Scattered Spider, Octo Tempest or any of the many other names the\r\ngroup is labeled with is not an organized entity but a loose collaboration of like-minded cybercriminals, or\r\npersonas, with common interests tethered by social chat applications.\r\nInterrelated Strike Teams\r\nMuddled Libra personas converge into strike teams, each with their own unique skillsets, tradecraft and objectives\r\nin tow. Since late 2022, Unit 42 has tracked at least seven distinct teams. Though in reality distinction means very\r\nlittle as personas enter, exit and flow from team to team. Instead, what defines a team is the combination of what\r\nthey're after and the unique ways in which they go after it.\r\nWhile the fluidity of this model complicates tracking, it also creates unique opportunities for threat researchers.\r\nUnlike the homogeneous, mostly faceless operations of traditional cybercrime groups, members of these small\r\nteams inherently leave their fingerprints on each attack; distinct fingerprints that become signature tradecraft.\r\nOver time successful tradecraft is shared, learned and incorporated by other personas into their own fingerprints.\r\nBy studying incident response engagements, threat intelligence researchers can walk this development back and\r\nbegin profiling personas and their interdependent relationships. This allows the creation of predictive models,\r\nultimately leading to effective controls and mitigations against future attacks.\r\nTheory in Practice\r\nIn the teams we track related to this attack cluster, we find patterns not only in tradecraft but also objective. That is\r\nnot to say these teams’ tradecraft and objectives remain static, but that they tend to evolve in a predictable way\r\nthat indicates relatively consistent and known personas.\r\nMost early teams were hyper-focused on cryptocurrency theft and have never wavered, while others started out\r\nwith cryptocurrency in mind but shifted to less complex and more volume-friendly objectives. The supply chain\r\nfor the cryptocurrency industry is far-reaching and includes business process outsourcing, mass marketing,\r\ntelecommunications, authentication providers and many other verticals. Many organizations in these industries\r\nhave essentially been collateral damage along the way as strike teams identified and hunted cryptocurrency\r\n“whales” – large, valuable targets.\r\nhttps://unit42.paloaltonetworks.com/muddled-libras-strike-teams/\r\nPage 1 of 3\n\nWith each success, teams have learned, matured and multiplied. New personas enter the fray and others are\r\narrested or fade away. Attack teams have expanded far from cryptocurrency and into a staggering breadth of\r\nindustries.\r\nThere are strike teams focused on stealing unique intellectual property for bragging rights that have\r\ntargeted media and software development firms.\r\nExtortion-oriented teams use common ransomware-as-a-service affiliate playbooks with widespread asset\r\ndestruction and encryption. These teams typically target organizations in high-availability verticals like\r\nretail and entertainment.\r\nSome teams simply aim to harvest credentials directly from consumers that can be quickly flipped on the\r\ndark web; low-complexity attacks like these frequently target individuals.\r\nA few teams are engaging in mass information harvesting. Valuable personal data is stolen that can later be\r\nstitched together to invasively profile high-value targets. Attackers focus on organizations that have unique\r\nand highly private data like those in the financial, retail and transportation industries.\r\nFigure 1. Seven teams associated with Muddled Libra and the differences in their targeting.\r\nThe fluid nature of Muddled Libra attack teams make it a fool’s errand to predict what industry will be targeted\r\nnext. Instead, defenders should focus on what they have that the group is likely to be after and who might be\r\nimpacted.\r\nFor example, consider data theft or direct extortion and work backward from there. If your organization has troves\r\nof personal data, take a deep look at how to classify and protect it appropriately based on its value. Restrictive\r\naccess control, data retention policies, data loss prevention and segmentation all go a long way toward ensuring\r\nyour data is not used as a weapon against you.\r\nExtortionists typically threaten to leak stolen data, disrupt critical business operations, or both. Effective business\r\ncontinuity and disaster recovery planning can help shield key business assets from destruction or ransomware.\r\nIf your organization is consumer facing, consider how you can better authenticate your customers and protect\r\nthem from having their credentials compromised and used against them.\r\nhttps://unit42.paloaltonetworks.com/muddled-libras-strike-teams/\r\nPage 2 of 3\n\nStrike teams will continue to form, developing new techniques and branching into new industries. Don’t lose sight\r\nof the forest (a broader goal of a robust security program based on risk and defense-in-depth strategies) for the\r\nsake of analyzing the trees (the specific tactics, techniques and procedures or targets currently popular with\r\nindividual Muddled Libra strike teams).\r\nIf your organization could benefit from assistance evaluating your readiness, consider reaching out for a Cyber\r\nRisk Assessment or other proactive services from Unit 42.\r\nUpdated on Aug. 28, 2025, at 2:34 p.m. PT to add missing data to Figure 1.\r\nSource: https://unit42.paloaltonetworks.com/muddled-libras-strike-teams/\r\nhttps://unit42.paloaltonetworks.com/muddled-libras-strike-teams/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://unit42.paloaltonetworks.com/muddled-libras-strike-teams/" ], "report_names": [ "muddled-libras-strike-teams" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434519, "ts_updated_at": 1775791909, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f9b3cde51cf6ee6b4323673207e4e6c414cb95f7.pdf", "text": "https://archive.orkl.eu/f9b3cde51cf6ee6b4323673207e4e6c414cb95f7.txt", "img": "https://archive.orkl.eu/f9b3cde51cf6ee6b4323673207e4e6c414cb95f7.jpg" } }