Investigators in a September 2025 incident response case discovered a malicious virtual machine within a VMware vSphere environment and conclusively linked it to Muddled Libra, which was also known as UNC3944 and Scattered Spider This article explores virtual machine attack. . A single virtual machine (VM) can serve as a bridge between identity systems and cloud services during an intrusion in plain sight.

The VM functioned as a silent staging host, providing the intruders with a location to recon the network, retrieve tools, and proceed with data theft. The group is well-known for using social engineering techniques like vishing and smishing, as well as posing as staff members to pressure help desks into multi-factor or password resets.

Threat profile for muddled Libra (Source: Palo Alto Networks) Additionally, it tends to stay away from malicious software by blending in with the victim's infrastructure and using legitimate admin tools. About two hours after the attackers first gained access to vSphere, Palo Alto researchers discovered that they had created a new virtual machine called "New Virtual Machine." The attack's high-level sequence of events (Source: Palo Alto Networks) They quickly extended their control by using stolen certificates to forge tickets after logging in.

The hackers used that foothold to shut down virtualized domain controllers, mount their VMDKs, and move SYSTEM and NTDS.dit to the virtual machine.

VMware logs of the DC's shutdown operations (Source: Palo Alto Networks) After that, they used ADRecon to perform directory discovery and examined service principal names. They also gained access to the victim's Snowflake environment and attempted to transfer mailbox data—including a PST—off-network using file-sharing websites and the S3 browser. Persistence in a chisel tunnel The attackers used an SSH tunnel with Chisel, which was sent in a ZIP file called goon.zip from an attacker-controlled AWS S3 bucket, to establish persistence within minutes of creating the rogue virtual machine.

In order to make the tunnel appear to be standard HTTPS, network logs revealed traffic to an attacker-controlled address via TCP 443 that lasted for about 15 hours.

Find out more Tools for endpoint detection and response Solutions for endpoint security Constant integration By enforcing least privilege for vSphere and admin accounts, tightening identity controls, and keeping an eye out for suspicious VM creation, DC power-off events, and unexpected VMDK mounts, defenders can lower risk. This living-off-the-land strategy can be detected early before it develops into widespread lateral movement and theft with the aid of ongoing monitoring for odd outbound 443 from recently developed systems, unusual use of common tools, and unusual access to cloud data platforms. Set ZeroOwl as a Preferred Source in Google and use X, LinkedIn, and LinkedIn to receive more real-time updates.