Muddled Libra Uses Rogue VM in VMware Attack

Introduction A Sophisticated Intrusion into Virtualized Environments

A September 2025 investigation into a deeply embedded VMware intrusion revealed a startling evolution in cyberattack methodology, where a threat actor weaponized the very infrastructure designed to support business operations. The incident, attributed with high confidence to the notorious group Muddled Libra, centered on the creation of a rogue virtual machine that served as a clandestine command center. This attack signifies a critical shift, demonstrating how adversaries can turn the core components of a modern data center against their owners.

The clever use of a rogue VM as an internal staging ground and pivot point highlights a new level of sophistication targeting virtualized environments. By blending their activities with legitimate administrative tasks, the attackers operated with stealth and efficiency, challenging conventional security monitoring and incident response playbooks. This event serves as a stark reminder that the security of the virtualization layer is no longer a niche concern but a foundational pillar of enterprise defense.

Profiling the Attacker Muddled Libra

Muddled Libra, also tracked by the cybersecurity community as Scattered Spider and UNC3944, has carved out a reputation for targeting large, high-value organizations with a unique blend of social engineering and technical acumen. The group’s operational history is marked by a consistent preference for gaining initial access through human manipulation rather than purely technical exploits.

Their initial foothold is often secured through deceptive tactics like smishing and vishing, where they impersonate employees to trick IT help desks into granting them credentials or remote access. This human-centric approach allows them to bypass many automated security controls, landing them directly inside a network’s perimeter with legitimate, albeit stolen, credentials. Once inside, their technical expertise comes to the forefront, as demonstrated in the recent VMware intrusion.

Anatomy of the Attack Chain

The attack unfolded with remarkable speed and precision, showcasing a well-rehearsed plan of action that left little room for detection. From initial access to deep network penetration, each step was calculated to leverage the victim’s own infrastructure, turning trusted systems into instruments of the intrusion.

The Rogue VM Foothold

Within just two hours of gaining initial access, Muddled Libra operators created a new virtual machine aptly named “New Virtual Machine.” This seemingly innocuous act was the cornerstone of their entire operation. The rogue VM was strategically positioned to function as a covert staging host, establishing a critical bridge between the compromised on-premises environment and the victim’s cloud services, effectively blurring the lines between internal and external threats.

Establishing Persistence and Command

With their foothold established, the attackers moved swiftly to ensure their access would survive reboots or initial cleanup efforts. They deployed Chisel, a versatile SSH tunneling tool, to create a persistent backdoor. To evade detection, they cleverly configured the tool to route its command-and-control traffic over TCP port 443, making the malicious communications appear as standard, encrypted HTTPS traffic. This camouflage made it exceedingly difficult for network monitoring tools to flag the activity as suspicious.

Escalation and Credential Theft

To gain complete control, Muddled Libra targeted the heart of the victim’s identity infrastructure: the domain controllers. The attackers powered down the virtualized domain controllers, a highly disruptive and audacious move. They then mounted the virtual disks (VMDKs) to their rogue VM, allowing them to directly access the file system and copy the NTDS.dit and SYSTEM files. This gave them the “keys to the kingdom,” enabling offline credential harvesting and the ability to impersonate any user.

Lateral Movement and Data Exfiltration

Armed with a trove of harvested credentials, the group began extensive internal reconnaissance using the ADRecon tool to map the Active Directory environment. Their ultimate goal became clear as they pivoted from the on-premises network to the victim’s Snowflake cloud data environment. From there, they launched attempts to exfiltrate sensitive data, including employee mailboxes, by leveraging third-party file-sharing sites to move the stolen information out of the network.

Muddled Libra’s “Living off the Land” Strategy

A defining characteristic of this attack was Muddled Libra’s disciplined adherence to a “living-off-the-land” methodology. Instead of deploying custom malware that could be flagged by antivirus or endpoint detection and response (EDR) solutions, the group relied almost exclusively on legitimate administrative tools and built-in system functionalities.

This strategy is highly effective because it significantly reduces the attacker’s footprint and complicates the detection process. By using tools and protocols already present in the target environment—such as vSphere client, SSH, and Active Directory reconnaissance scripts—their malicious activities become nearly indistinguishable from the daily tasks of a system administrator, allowing them to operate under the radar for extended periods.

Defense and Detection in the Modern Data Center

Countering a threat as sophisticated as Muddled Libra requires a multi-layered defense strategy that goes beyond traditional perimeter security. Organizations must prioritize tightening identity and access controls, particularly for privileged accounts with access to virtualization management platforms like vSphere. Enforcing the principle of least privilege is paramount to limiting an attacker’s ability to move laterally if an account is compromised.

Continuous and vigilant monitoring is also critical for early detection. Security teams should be on high alert for key indicators of compromise (IOCs) specific to this attack pattern. These include the unusual creation of new VMs by unexpected accounts, the sudden power-down of critical systems like domain controllers, anomalous mounting of VMDK files, and suspicious outbound traffic over common ports like 443 from newly provisioned systems.

Reflection and Broader Impacts

This incident offered a sobering look at the evolving threat landscape, where the lines between administrator and attacker are deliberately blurred. The attack’s success rested on the exploitation of trust and the subversion of standard administrative tools, forcing a re-evaluation of how security is managed in complex, hybrid environments.

Reflection

The strength of Muddled Libra’s approach lay in its stealth and efficiency. By weaponizing the victim’s own virtualization platform, they bypassed many security layers designed to detect external threats. This posed a significant challenge for security teams, who are tasked with the difficult job of differentiating between malicious actions and legitimate administrative activity within a high volume of daily operations.

Broader Impact

Tactics like these are catalyzing a necessary paradigm shift in enterprise security. The focus is moving away from a purely perimeter-based defense model toward a more identity-centric approach. Securing the virtualization layer itself, implementing robust insider threat detection programs, and scrutinizing administrative actions have become non-negotiable priorities for organizations that rely on virtualized infrastructure.

Conclusion A Call for Heightened Vigilance

The sophisticated VMware attack orchestrated by Muddled Libra served as a powerful illustration of how cybercriminals innovate by turning an organization’s own infrastructure into a weapon. The use of a rogue virtual machine as a central attack platform was a particularly dangerous evolution, demonstrating a deep understanding of modern data center architecture. This event underscored the urgent need for organizations to re-evaluate their security posture for virtual and hybrid cloud environments. Enhanced monitoring, stringent access controls, and a security culture that questions even seemingly normal administrative activities are no longer optional but essential for detecting the subtle footprints of a “living-off-the-land” intrusion before it leads to a catastrophic breach.