A Peek Into Muddled Libra’s Operational Playbook

    Wednesday, February 11, 2026 In: Threat Research Print

    Date: 02/11/2026

    Severity: High

    Summary

    A Peek Into Muddled Libra’s Operational Playbook examines a September 2025 intrusion in which the cybercrime group Muddled Libra (aka Scattered Spider/UNC3944) deployed a rogue VM after compromising a VMware vSphere environment. The investigation revealed a structured attack chain involving reconnaissance, tool staging, C2-based persistence, abuse of stolen certificates, lateral movement to the domain controller, and interaction with Snowflake infrastructure—offering detailed insight into the group’s operational methodology and TTPs.

    Indicators of Compromise (IOC) List

    URLs/Domains

    upload.ee

    uploadnow.io

    limewire.com

    we.tl

    s3browser.com

    sean-referrals-commissions-electricity.trycloudflare.com

    fast.com

    filetransfer.io

    filebin.iox

    IP Address

    162.125.3.18

    104.16.100.29

    Hash

    078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b

    996e68f2fe1c8bb091f34e9bf39fd34d95c3e21508def1f54098a1874bfb825e

    6784e652f304bf8e43b42c29ad8dd146dd384fa9536b9c6640dfbc370c3e78de

    e451287843b3927c6046eaabd3e22b929bc1f445eec23a73b1398b115d02e4fb

    088f2aced9ed60c2ce853b065f57691403459e1e0d167891d6849e1b58228173

    6e2c39d0c00a6a8eef33f9670f941a88c957d3c1e9496392beedc98af14269a2

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "sean-referrals-commissions-electricity.trycloudflare.com" or siteurl like "sean-referrals-commissions-electricity.trycloudflare.com" or url like "sean-referrals-commissions-electricity.trycloudflare.com" or domainname like "limewire.com" or siteurl like "limewire.com" or url like "limewire.com" or domainname like "s3browser.com" or siteurl like "s3browser.com" or url like "s3browser.com" or domainname like "upload.ee" or siteurl like "upload.ee" or url like "upload.ee" or domainname like "uploadnow.io" or siteurl like "uploadnow.io" or url like "uploadnow.io" or domainname like "we.tl" or siteurl like "we.tl" or url like "we.tl" or domainname like "fast.com" or siteurl like "fast.com" or url like "fast.com" or domainname like "filetransfer.io" or siteurl like "filetransfer.io" or url like "filetransfer.io" or domainname like "filebin.iox" or siteurl like "filebin.iox" or url like "filebin.iox"

    Detection Query 2 :

    dstipaddress IN ("162.125.3.18","104.16.100.29") or srcipaddress IN ("162.125.3.18","104.16.100.29")

    Detection Query 3 :

    sha256hash IN ("078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b","996e68f2fe1c8bb091f34e9bf39fd34d95c3e21508def1f54098a1874bfb825e","6784e652f304bf8e43b42c29ad8dd146dd384fa9536b9c6640dfbc370c3e78de","e451287843b3927c6046eaabd3e22b929bc1f445eec23a73b1398b115d02e4fb","088f2aced9ed60c2ce853b065f57691403459e1e0d167891d6849e1b58228173","6e2c39d0c00a6a8eef33f9670f941a88c957d3c1e9496392beedc98af14269a2")

    Reference:    

    https://unit42.paloaltonetworks.com/muddled-libra-ops-playbook/


    Tags

    Threat ActorScattered SpiderMuddled Libra

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.