A reinvigorated Muddled Libra, also known as Scattered Spider and UNC3944, has reemerged with evolved tactics, broader reach, and accelerated operations across key sectors worldwide in 2025. Following a string of arrests in late 2024, Unit 42 reports show the threat group is now more destructive and efficient than ever, targeting government, retail, insurance, and aviation entities.
Muddled Libra resumed operations post-November 2024 after federal indictments of five members. Since early 2025, the group has upgraded its social engineering tactics and leaned into ransomware-as-a-service (RaaS) alliances. Partnering with DragonForce, a RaaS program operated by Slippery Scorpius, they’ve encrypted victims’ systems and extorted payments.
Tactical Shifts in Social Engineering
The group has largely moved from phishing to vishing (T1566.004). Over 70% of contact attempts in 2025 leveraged Google Voice as their VoIP method. Help desks are a frequent target, with attackers impersonating users to manipulate support staff into resetting credentials and MFA setups.
They also use pretexts like system issues or lost devices to persuade victims to download remote management software. Once inside, the attackers move quickly, exploiting existing IT tools and even endpoint security platforms.
Speed: From Access to Domain Admin in 40 Minutes
According to Unit 42’s 2025 Global Incident Response Report, attackers gained full domain admin rights within 40 minutes after initial helpdesk social engineering in one case. Average containment time was 1 day, 8 hours, 43 minutes.
Sector Targeting Timeline (Jan-July 2025)
- Jan-Mar: Government
- Apr-Jul: Retail, Insurance, Aviation
Attackers don’t strictly sequence these campaigns and have demonstrated parallel sectoral targeting, increasing unpredictability.
Credential and Lateral Movement Techniques
- Credential Dumping: NTDS.dit dumps to gain full AD credentials (T1003.003, T1555.005)
- Reconnaissance: Microsoft 365 and SharePoint usage (T1114.002, T1213.002)
- Persistence: Remote monitoring tools and cloud management platforms
- Exfiltration: Cloud-based transfer (T1567.002)
MFA Bypass and Conditional Access Failures
Muddled Libra’s effectiveness is tied to misconfigured or absent Conditional Access Policies (CAPs). When implemented correctly (e.g., geo-blocking, on-prem requirements), CAPs drastically slow intrusions.
Expert Commentary
“Muddled Libra’s preference for living-off-the-land techniques and minimal malware use makes them uniquely difficult to detect,” said Jen Miller-Osborn, Deputy Director of Threat Intelligence at Unit 42.
“Organizations that rely solely on endpoint detection without rigorous identity access control are now high-risk targets,” noted Ryan Olson, VP of Threat Intelligence at Palo Alto Networks.
Actionable Takeaways for Defenders
- Implement robust CAPs using Microsoft Entra ID: geo-blocking, device management, and on-prem MFA setups.
- Harden helpdesk operations with strict identity verification protocols and vishing-awareness training.
- Deploy DNS and URL filtering to detect and disrupt command-and-control (C2) infrastructure.
- Monitor usage of remote admin tools (e.g., AnyDesk, TeamViewer) and restrict unless explicitly needed.
- Log and audit identity management events, especially password resets and MFA changes.
- Secure Microsoft 365 and SharePoint instances with anomaly-based monitoring.
- Run red-team simulations focused on social engineering and identity compromise.
- Segment cloud access and virtual infrastructure to contain intrusions.
- Adopt a zero-trust architecture that limits lateral movement.
- Engage in public-private threat intel sharing to spot early indicators of compromise (IOCs).
Conclusion
Muddled Libra has returned with sharper tactics and broader ambitions in 2025. Their evolution underscores the growing sophistication of socially engineered attacks. As this group continues to exploit identity gaps and bypass traditional defenses, organizations must pivot from reactive defenses to proactive, policy-driven security models. A coordinated defense across sectors-powered by threat intelligence and robust access control-remains the most effective deterrent.
Sources
- Muddled Libra Threat Assessment (Unit 42, 3 June 2025)
- 2025 Global Incident Response Report (Palo Alto Networks)
For more cybersecurity news, alerts, and best practices, visit CyberCory. To strengthen your security, training, or pentesting capabilities, explore services from SaintyNet.
