Full Report
Muddled Libra continues to evolve. From social engineering to adaptation of new technologies, significant time is spent breaking down organizational defenses. The post Threat Group Assessment: Muddled Libra (Updated May 16, 2025) appeared first on Unit 42.
Analysis Summary
# Threat Actor: Muddled Libra
## Attribution & Identity
The threat group is explicitly named **Muddled Libra**. Researchers believe members speak English as a first language, potentially aiding their social engineering.
## Activity Summary
Muddled Libra is a dynamic threat group active since at least mid-2022 through the beginning of 2024 (with ongoing evolution noted in May 2025 analysis). Initial attacks focused on large business process outsourcing (BPO) firms serving high-value cryptocurrency holders. Post-initial phase, they appear to have evolved into a ransomware affiliate model with a primary objective of extortion. They possess intimate knowledge of enterprise IT environments.
## Tactics, Techniques & Procedures
- Social engineering targeting both end users and IT helpdesks (primary modus operandi).
- Exploiting inside access at business process outsourcers (BPOs).
- Traditional phishing.
- Successful account compromise demonstrated by changing passwords and resetting MFA within minutes via social engineering the helpdesk.
- Using NSOCKS and TrueSocks proxy services for anonymization.
- Creating email rules to forward communications from security vendors for monitoring investigations.
- Deploying a custom virtual machine into the target environment.
- Using the open-source rootkit `bedevil` ([bdvl](https://github.com/Error996/bdvl)) specifically targeting VMware vCenter servers.
- Gaining administrative permissions.
- Heavy use of anonymizing proxy services.
- Using AI to spoof victims' voices, potentially trained on social media videos.
## Targeting
- Sectors: Software automation, outsourcing, telecommunications, technology, business process outsourcing (BPO), hospitality, and financial industries.
- Geography: Targets observed primarily in the U.S.
- Victims: High-value cryptocurrency holders (initial targets via BPOs).
## Tools & Infrastructure
- Malware families used: Open-source rootkit **bedevil** (`bdvl`).
- Infrastructure (C2, domains, IPs): NSOCKS and TrueSocks proxy services used for anonymization.
## Implications
Muddled Libra poses a significant risk due to its combination of advanced social engineering skills, adaptability, and technical proficiency, capable of bypassing well-developed legacy cyber defenses. Their evolution into a ransomware affiliation model increases the potential for severe financial impact (extortion).
## Mitigations
- Interweaving tight security controls.
- Diligent awareness training, particularly targeting IT helpdesks regarding social engineering.
- Vigilant monitoring.
- Protecting against C2 infrastructure use through:
- Advanced URL Filtering
- DNS Security
- Cloud-Delivered Security Services
- Limiting the connection of anonymization services using App-ID.