A sophisticated cyberattack in September 2025 exploited a rogue virtual machine within a VMware vSphere environment, granting attackers entry and enabling significant data theft. Investigators linked this breach with high confidence to the threat group Muddled Libra, also known as Scattered Spider and UNC3944. This incident highlights a critical vulnerability where a seemingly innocuous VM can serve as a staging ground for extensive network reconnaissance and data exfiltration, underscoring advanced tactics, techniques, and procedures (TTPs) employed by these sophisticated actors.
The rogue virtual machine operated stealthily, providing the intruders with a crucial foothold to map the network, download malicious tools, and ultimately pursue data exfiltration. This case also illuminates how a single compromised VM can serve as an overlooked bridge between identity systems and cloud services during an intrusion, often operating in plain sight. The Muddled Libra group is particularly noted for its social engineering tactics, including smishing and vishing, along with impersonating employees to manipulate help desks into performing password or multi-factor authentication resets.
VMware Exploitation and Data Theft by Muddled Libra
According to research by Palo Alto Networks, attackers gained access to the vSphere environment approximately two hours after their initial compromise. They then proceeded to create a new virtual machine, ominously named “New Virtual Machine.” This newly established VM served as a critical staging point from which the adversaries could operate with a degree of anonymity.
Immediately following their login to the rogue VM, the attackers utilized stolen certificates to forge authentication tickets. This allowed them to systematically expand their control over the compromised vSphere infrastructure. This tactic demonstrates a deep understanding of the target environment and a willingness to exploit existing credentials for unauthorized access.
From this initial foothold, the intruders proceeded to power down virtualized domain controllers. They then mounted the virtual disk files (VMDKs) associated with these controllers, enabling them to copy sensitive Active Directory database files, specifically NTDS.dit and SYSTEM hive information, directly to their rogue VM. This action is pivotal for offline password cracking and gaining further administrative privileges.
The attackers then conducted extensive directory discovery using the ADRecon tool and meticulously reviewed Service Principal Names (SPNs). This reconnaissance phase is critical for identifying further targets and vulnerabilities within the network. Additionally, the group accessed the victim’s Snowflake environment, a cloud-based data warehousing platform, and later attempted to exfiltrate mailbox data, including a PST file, using file-sharing websites and the S3 Browser utility.
Chisel Tunnel for Persistence and Evasion
Within minutes of establishing the rogue VM, the attackers implemented a persistent access method by setting up an SSH tunnel using a tool called Chisel. This tool was delivered via a ZIP archive named goon.zip, which originated from an attacker-controlled Amazon Web Services (AWS) S3 bucket. The use of Chisel allowed the attackers to create a covert communication channel.
Network logs revealed sustained traffic to an attacker-controlled IP address over TCP port 443. This connection persisted for approximately 15 hours, a duration designed to mimic legitimate HTTPS traffic. By tunneling their malicious activities over this common port, the attackers aimed to evade detection by security monitoring systems that might otherwise flag unusual network activity.
To mitigate such threats, organizations are advised to strengthen identity and access controls, rigorously enforce the principle of least privilege for all vSphere and administrative accounts, and implement vigilant monitoring for suspicious VM creation events. Additionally, alerts for the power-off of domain controllers, unexpected VMDK mounts, and unusual outbound traffic from newly provisioned systems are crucial. Continuous monitoring for the abuse of common administrative tools (living-off-the-land techniques) and anomalous access patterns to cloud data platforms can significantly improve the detection of these sophisticated attacks before they escalate to widespread lateral movement and substantial data theft.