Threat Group Assessment: Muddled Libra (Updated May 16, 2025)
Summary:
Unit 42 has observed a resurgence in Muddled Libra activity following a period of dormancy in late 2024. Recent investigations link multiple high-profile intrusions to this group, as well as to its broader collective, Scattered Spider. These newer attacks build upon earlier tactics but incorporate refined tradecraft, underscoring the group’s ongoing evolution. Muddled Libra is part of a loosely organized threat actor ecosystem known by several names, including Octo Tempest and 0ktapus. Originating from online communities on Discord and Telegram, the group has grown into a network of individuals with distinct specialties, often collaborating across various channels ranging from criminal forums to gaming communities.
Over time, Muddled Libra has shifted its focus from SIM-swapping and credential harvesting to more advanced methods such as helpdesk social engineering, data exfiltration, and ransomware-based extortion. Their recent campaigns have involved direct impersonation of helpdesk staff and employees to bypass MFA protections, often using AI-generated voice clones trained on publicly available social media content. Unit 42 has observed that new subgroups, possibly splinters of Muddled Libra, are expanding operations into industries such as retail and hospitality. These emerging threat clusters mix traditional techniques with novel ones and adjust targeting strategies based on opportunity.
Security Officer Comments:
Initial access tactics have notably moved away from smishing and now rely heavily on social engineering directed at IT support teams. Once inside a network, the group deploys legitimate remote access tools to maintain persistence and access CRM platforms to extract sensitive data. They also use virtual environment tools to maximize operational impact. In terms of ransomware activity, Muddled Libra has recently partnered with DragonForce, marking a pivot to extortion-focused operations. This shift continues a trend that began in 2023, when the group briefly affiliated with the ALPHV/BlackCat ransomware program before its disruption by U.S. authorities. Despite this, Muddled Libra has maintained momentum by emphasizing high-impact data theft and extortion campaigns.
Suggested Corrections:
Link(s):
https://unit42.paloaltonetworks.com/muddled-libra/
Unit 42 has observed a resurgence in Muddled Libra activity following a period of dormancy in late 2024. Recent investigations link multiple high-profile intrusions to this group, as well as to its broader collective, Scattered Spider. These newer attacks build upon earlier tactics but incorporate refined tradecraft, underscoring the group’s ongoing evolution. Muddled Libra is part of a loosely organized threat actor ecosystem known by several names, including Octo Tempest and 0ktapus. Originating from online communities on Discord and Telegram, the group has grown into a network of individuals with distinct specialties, often collaborating across various channels ranging from criminal forums to gaming communities.
Over time, Muddled Libra has shifted its focus from SIM-swapping and credential harvesting to more advanced methods such as helpdesk social engineering, data exfiltration, and ransomware-based extortion. Their recent campaigns have involved direct impersonation of helpdesk staff and employees to bypass MFA protections, often using AI-generated voice clones trained on publicly available social media content. Unit 42 has observed that new subgroups, possibly splinters of Muddled Libra, are expanding operations into industries such as retail and hospitality. These emerging threat clusters mix traditional techniques with novel ones and adjust targeting strategies based on opportunity.
Security Officer Comments:
Initial access tactics have notably moved away from smishing and now rely heavily on social engineering directed at IT support teams. Once inside a network, the group deploys legitimate remote access tools to maintain persistence and access CRM platforms to extract sensitive data. They also use virtual environment tools to maximize operational impact. In terms of ransomware activity, Muddled Libra has recently partnered with DragonForce, marking a pivot to extortion-focused operations. This shift continues a trend that began in 2023, when the group briefly affiliated with the ALPHV/BlackCat ransomware program before its disruption by U.S. authorities. Despite this, Muddled Libra has maintained momentum by emphasizing high-impact data theft and extortion campaigns.
Suggested Corrections:
- Implement MFA and single sign-on (SSO) wherever possible – preferably Fast Identity Online (FIDO). In the cases we investigated, Muddled Libra was most successful when they convinced employees to help them bypass MFA. When they could not quickly establish a foothold, they appeared to move on to other targets.
- Defenders should consider implementing security alerting and account lockout on repeated MFA failures.
- Implement comprehensive user awareness training. Muddled Libra is heavily focused on social engineering help desk and other employees via phone and SMS. Employee training on identifying suspicious non-email-based outreach is critical.
- In case of a breach, assume this threat actor knows the modern IR playbook. Consider setting up out-of-band response mechanisms.
- Ensure credential hygiene is up to date. Only grant access when and for as long as necessary.
- Monitoring and managing access to critical defenses and controls is essential to defending against skilled attackers. Rights should be restricted to only what is necessary for each job function.
- Defenders should limit anonymization services allowed to connect to the network
Link(s):
https://unit42.paloaltonetworks.com/muddled-libra/