Cybercrime group Muddled Libra (also known as Scattered Spider or UNC3944) had targeted VMware vSphere environments, using arogue virtual machine (VM) as a critical tool in their attack.
This incident, uncovered during a September 2025 investigation, sheds light on the group’s tactics, techniques, and procedures (TTPs), offering a rare glimpse into their operational methods.
Exploiting VMware vSphere
The attack began when Muddled Libra gained unauthorized access to a targeted VMware vSphere environment.
Upon accessing the system, the attackers quickly set up a new VM to evade endpoint security tools. This VM served as a beachhead for further malicious activities, including reconnaissance, lateral movement, and the downloading of attack tools.
The attackers leveraged stolen certificates and established a command-and-control (C2) channel using the Chisel tunneling tool, allowing them to maintain persistence in the environment.
