Attack Chain Evolution Reveals Muddled Libra’s Continuous Refinement of its Capabilities

Unit 42 has updated its threat actor profile for Muddled Libra, a rapidly evolving cybercrime group active since 2023 and into 2025. Building on tradecraft developed during earlier campaigns tied to the broader Scattered Spider collective, Muddled Libra has continued to carry out high-impact operations across multiple industries. Originally noted for targeting BPO providers and cryptocurrency platforms, the group has since expanded into the hospitality, retail, and financial sectors as its highest-impact verticals. However, Unit 42 warns that "favored industries and organizations can shift on a whim." The group specializes in coordinated intrusions using social engineering and insider knowledge, and has even been observed leveraging AI-generated voice models to impersonate victims. Unit 42 notes, "Attackers in this group specialize in specific skill sets and work together to hone those skills to eventually sell or use in cyberattacks." Their adaptability—evolving tradecraft and toolkits based on effectiveness—continues to signal the severity of this threat.

Muddled Libra’s attack tactics have evolved from smishing and credential phishing to more aggressive and effective help desk impersonation campaigns. According to Unit 42, the group meticulously profiles its targets, collecting employee names, job roles, and contact details through open-source intelligence or previous breaches. This detailed reconnaissance enables attackers to convince IT help desks to reset passwords and MFA for targeted accounts. Once inside, their dwell time is short, and their objective is clear: "maximum disruption" and data extortion. Their campaigns now favor the "encrypt and extort" model, shifting from earlier emphasis on silent data theft and long-term persistence. The pace of execution has increased as well, with Unit 42 emphasizing "minimal time from initial access to action on objective."

A high-level attack chain observed by Unit 42 shows that initial access is typically gained through social engineering of help desk staff. The pivot to this technique—away from earlier SIM-swapping tactics—is likely due to organizations phasing out SMS-based MFA. Following initial access, attackers deploy multiple remote monitoring and management (RMM) tools to maintain persistence. Defense evasion techniques include tampering with endpoint detection, using residential proxy services, and manipulating Active Directory accounts. Credential access is achieved via MFA bombing, Mimikatz, and memory scraping tools like Volatility and MAGNET RAM Capture. Discovery involves mapping environments with ADRecon, network scanners, and enterprise systems management tools to identify key assets.

Execution and lateral movement are enabled using utilities such as PsExec, Impacket, and RDP. Muddled Libra has deployed ransomware strains including BlackCat/ALPHV and has more recently aligned with DragonForce, reflecting its ongoing affiliation with ransomware-as-a-service operations. The group searches repositories like Jira, Confluence, and internal messaging platforms to collect sensitive data, which is exfiltrated via SSH tunnels, file transfer agents, or public file-sharing platforms. Collection efforts are methodical, targeting credentials, intellectual property, and operational data for use in extortion. Unit 42 reports that stolen data is typically archived using tools like WinRAR or PeaZip before being uploaded to attacker-controlled infrastructure.

Muddled Libra’s toolkit reflects broad familiarity with both offensive security frameworks and enterprise IT environments. In addition to RMM tools like AnyDesk, Zoho Assist, and TeamViewer, Unit 42 has observed the group using VMware administration tools and forensic utilities such as MAGNET RAM Capture and Volatility. Of concern, Unit 42 warns the group "demonstrated a strong understanding of the modern incident response (IR) framework. This knowledge allows them to continue progressing toward their goals even as incident responders attempt to expel them from an environment. Once established, this threat group is difficult to eradicate. Unit 42 has observed them joining IR war rooms and creating rules within email security platforms to intercept and redirect incident response-related communication." Effective defense against Muddled Libra requires strong credential hygiene, controls on anonymization service usage, and robust user awareness—particularly for frontline support teams. While their tools are not novel, the group’s ability to integrate and adapt them with speed and precision continues to pose a major risk to enterprise environments.