The notorious cybercrime group Muddled Libra, also known as Scattered Spider, returned in 2025 with enhanced capabilities, systematically targeting corporate call centers as its primary entry point into organizations across multiple sectors.
According to new research from Palo Alto Networks’ Unit 42, the group has evolved its tactics to become faster, more far-reaching, and significantly more impactful following international law enforcement operations in late 2024.
Sophisticated Voice-Based Social Engineering Campaign
Muddled Libra has shifted away from traditional phishing methods toward voice-based attacks, with over 70% of their 2025 operations utilizing Google Voice as their primary communication platform.
The attackers impersonate employees calling IT help desks, exploiting the natural tendency of support staff to be helpful by manipulating them into resetting both user credentials and multi-factor authentication (MFA) devices.
“The threat actors manipulate help desk associates into bypassing organizational authentication controls,” the Unit 42 report details.
In some cases, attackers directly contact victims, claiming to be from the organization’s help desk, and convince them to download remote management software that provides immediate system access.
The group’s operational efficiency has dramatically improved, with the average time from initial access to containment now reduced to just 1 day, 8 hours, and 43 minutes.
Unit 42 documented one particularly striking case where attackers escalated from initial help desk compromise to domain administrator privileges in approximately 40 minutes.
Ransomware Partnership Accelerates Impact
Since April 2025, Muddled Libra has partnered with the DragonForce ransomware-as-a-service program, operated by the group known as Slippery Scorpius.
This collaboration has enabled rapid data exfiltration and encryption campaigns, with researchers observing over 100 GB of data stolen during a two-day period in one incident.
The group has expanded its targeting scope across government, retail, insurance, and aviation sectors throughout 2025, often hitting multiple organizations within the same industry in rapid succession.
Their sophisticated approach continues to minimize malware usage, instead leveraging victims’ own systems and legitimate remote monitoring tools to maintain persistence and avoid detection.
Organizations can defend against these attacks by implementing conditional access policies, requiring video identification for credential resets, providing specialized training for IT support staff, and establishing out-of-band communication channels.
The threat group’s success rate significantly decreases when proper Microsoft Entra ID conditional access policies are correctly implemented, demonstrating the critical importance of robust identity and access management controls in modern cybersecurity defense strategies.
