In a September 2025 incident response engagement, investigators uncovered a rogue virtual machine (VM) inside a compromised VMware vSphere environment and attributed the activity with high confidence to Muddled Libra, also tracked as Scattered Spider and UNC3944.
The case highlights how a single, quietly deployed VM can become a powerful staging hub — bridging on-premises identity infrastructure and cloud services while operating largely unnoticed.
According to researchers, the attackers accessed vSphere roughly two hours after their initial compromise and created a new VM named “New Virtual Machine.” Rather than using it for noisy disruption, they treated it as a low-profile operations node.
From that rogue VM, the intruders:
- Conducted internal network reconnaissance
- Downloaded tooling to support follow-on activity
- Pulled stolen certificates
- Forged authentication tickets to expand privileges
The VM effectively served as a pivot point, enabling the threat actors to move laterally and escalate control without immediately triggering alarms.
Muddled Libra is widely known for its aggressive use of social engineering, including:
- Smishing (SMS phishing)
- Vishing (voice phishing)
- Impersonating employees to pressure help desks into resetting passwords or multi-factor authentication (MFA)
This identity-centric intrusion pattern once again underscores the group’s focus on exploiting human processes to gain initial access — then rapidly transitioning into infrastructure-level compromise.
About The Author
