In a September 2025 incident response case, investigators found a rogue virtual machine inside a VMware vSphere environment and tied it with high confidence to Muddled Libra, also tracked as Scattered Spider and UNC3944.
The VM acted like a quiet staging host, giving the intruders a place to recon the network, pull down tools, and move toward data theft; it also showed how a single VM can become a bridge between identity systems and cloud services during an intrusion in plain sight.
The group is known for social engineering such as smishing and vishing, and for impersonating employees to push help desks into password or multi-factor resets.
.webp)
It also tends to avoid heavy malware, leaning on legitimate admin utilities and the victim’s own infrastructure to blend in.
Palo Alto researchers identified attackers accessed vSphere about two hours after initial access and created a new VM…
