Explore the tools Unit 42 found on a Muddled Libra rogue host. Learn how they target domain controllers and use search engines to aid their attacks.

Unit42 is a cybersecurity research team known for its  analysis of cyber threats, malware, and cyber attack trends. Through research reports, threat intelligence briefings, and data analysis, Unit42 offers insights into emerging cyber threats and adversary tactics. Readers can learn about threat detection methodologies, vulnerability trends, and cyber attack attribution to enhance their cybersecurity posture and protect their organizations from advanced cyber threats.

Unit 42

Unit 42 analyzed a rogue VM created by Muddled Libra (Scattered Spider) during a September 2025 incident. The cybercrime group gained unauthorized VMware vSphere access, created a VM to avoid endpoint detection, and used it as a beachhead for reconnaissance and data theft. Attackers downloaded stolen certificates, established SSH tunnels via Chisel, powered down domain controllers to extract NTDS.dit files, enumerated Active Directory with ADRecon, and attempted data exfiltration through multiple file-sharing sites. They leveraged legitimate tools (PsExec, ADExplorer, S3 Browser) and searched web engines to troubleshoot blocked exfiltration paths. The analysis reveals their operational playbook: minimal malware use, living-off-the-land techniques, social engineering for initial access, and exploitation of legitimate infrastructure for persistence and lateral movement.

A Peek Into Muddled Libra’s Operational Playbook