Call Center Attacks for Initial Breach

Palo Alto Networks’ Unit 42, the cybercrime group tracked as Muddled Libra also known as Scattered Spider or UNC3944 has demonstrated remarkable resilience and adaptation in 2025, following international law enforcement disruptions in late 2024.

Despite federal charges against five suspected members in November 2024, the group has escalated its intrusion operations across sectors including government, retail, insurance, and aviation.

Unit 42’s incident response insights reveal that Muddled Libra has refined its tradecraft to achieve faster, more impactful breaches, often leveraging social engineering techniques like vishing (voice-based phishing) to target call centers and outsourced business process organizations (BPOs) or managed service providers (MSPs).

This evolution minimizes malware dependency, instead exploiting victims’ own infrastructure for initial access, persistence, and exfiltration.

The group’s demographic profile includes young, tech-savvy actors adept at psychological manipulation, impersonating employees to reset passwords and multi-factor authentication (MFA) via help desk interactions.

In one notable timeline, attackers pivoted from initial vishing-induced access to domain administrator privileges in under 40 minutes, as documented in Unit 42’s 2025 Global Incident Response Report, drastically shortening the average intrusion duration to just over one day.

Accelerated Intrusions

Muddled Libra’s 2025 operations highlight a shift toward direct human engagement over traditional smishing or phishing, with over 70% of vishing attempts utilizing Google Voice VoIP services to impersonate users or IT personnel.

This tactic preys on help desk empathy, bypassing authentication controls to enable credential resets and remote management tool installations.

Once inside, the group employs remote monitoring and management (RMM) tools for persistence, targets endpoint detection and response (EDR) platforms, hypervisors, and cloud management systems for lateral movement, and dumps credentials from NTDS.dit files or password vaults to compromise Active Directory.

Collection involves reconnaissance via Microsoft 365 and SharePoint, while exfiltration routes data to cloud storage services, sometimes directly from victim environments.

A key escalation is the adoption of ransomware-as-a-service (RaaS) models, partnering with programs like DragonForce (operated by Slippery Scorpius) since April 2025, enabling rapid data exfiltration over 100 GB in two days in one case followed by encryption and extortion.

Victimology shows clustered targeting within sectors, though cross-industry attacks occur simultaneously, amplifying the group’s reach and impact.

Unit 42 notes that improperly configured Conditional Access Policies (CAPs) in Microsoft Entra ID accelerate these intrusions, whereas effective CAPs such as those restricting unmanaged devices, enforcing on-premises MFA, geoblocking authenticators, or mandating MFA for VPN/VDI access significantly hinder progress, allowing time for containment.

Defensive Measures

To counter Muddled Libra’s cloud-first mindset and social engineering prowess, Unit 42 recommends intelligence-driven awareness training for IT support staff, rigorous MFA reset procedures with video or supervisory verification, and enforcement of least privilege principles alongside App-ID-based blocking of unapproved RMM and file-sharing traffic.

Detection strategies include monitoring IAM changes, cloud logging for anomalies, and tracking suspicious call center activities.

For containment, organizations should segment virtual resources like ESXi hosts and implement out-of-band communication channels to thwart compromised tools.

Looking ahead, Unit 42 assesses with high confidence that Muddled Libra will persist in vishing exploits, misuse permissive identities, and collaborate with RaaS affiliates like Akira, ALPHV, Play, Qilin, and RansomHub for streamlined monetization.

Enhanced information-sharing and law enforcement actions, such as recent UK arrests, may deter operations, but collective cybersecurity efforts remain essential.

Palo Alto Networks’ Cortex XSIAM, XDR, Advanced URL Filtering, and DNS Security provide robust defenses against associated C2 infrastructure. Organizations suspecting compromise should contact Unit 42’s Incident Response team immediately.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!