A Peek Into Muddled Libra’s Operational Playbook

Unit 42 investigated a September 2025 intrusion by Muddled Libra (Scattered Spider/UNC3944) where the adversary created a rogue VM in the victim's vSphere environment as a beachhead to harvest certificates, create SSH tunnels (Chisel), mount powered-down DC VMDKs to extract NTDS.dit and SYSTEM registry hives, run ADRecon/ADExplorer to map Active Directory, interact with Snowflake data, and attempt exfiltration via S3 and file-sharing services; the report contains detailed TTPs, forensic artifacts and IoCs to aid detection and response.