The notorious cybercrime group Muddled Libra, also known as Scattered Spider, returned in 2025 with enhanced capabilities, systematically targeting corporate call centers as its primary entry point into organizations across multiple sectors.
According to new research from Palo Alto Networks’ Unit 42, the group has evolved its tactics to become faster, more far-reaching, and significantly more impactful following international law enforcement operations in late 2024.
Muddled Libra has shifted away from traditional phishing methods toward voice-based attacks, with over 70% of their 2025 operations utilizing Google Voice as their primary communication platform.
The attackers impersonate employees calling IT help desks, exploiting the natural tendency of support staff to be helpful by manipulating them into resetting both user credentials and multi-factor authentication (MFA) devices.
“The threat actors manipulate help desk associates into bypassing organizational authentication controls,” the Unit 42 report details.
In some cases, attackers directly contact victims, claiming to be from the organization’s help desk, and convince them to download remote management software that provides immediate system access.
The group’s operational efficiency has dramatically improved, with the average time from initial access to containment now reduced to just 1 day, 8 hours, and 43 minutes.
Unit 42 documented one particularly striking case where attackers escalated from initial help desk compromise to domain administrator privileges in approximately 40 minutes.
Since April 2025, Muddled Libra has partnered with the DragonForce ransomware-as-a-service program, operated by the group known as Slippery Scorpius.
This collaboration has enabled rapid data exfiltration and encryption campaigns, with researchers observing over 100 GB of data stolen during a two-day period in one incident.
The group has expanded its targeting scope across government, retail, insurance, and aviation sectors throughout 2025, often hitting multiple organizations within the same industry in rapid succession.
Their sophisticated approach continues to minimize malware usage, instead leveraging victims’ own systems and legitimate remote monitoring tools to maintain persistence and avoid detection.
Organizations can defend against these attacks by implementing conditional access policies, requiring video identification for credential resets, providing specialized training for IT support staff, and establishing out-of-band communication channels.
The threat group’s success rate significantly decreases when proper Microsoft Entra ID conditional access policies are correctly implemented, demonstrating the critical importance of robust identity and access management controls in modern cybersecurity defense strategies.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…