Malware News Ever seen an attacker perform an internet speed test? Muddled Libra did just that while trying to steal email files.

[Khushal]

Content source

https://unit42.paloaltonetworks.com/muddled-libra-ops-playbook/

A Peek Into Muddled Libra’s Operational Playbook

Explore the tools Unit 42 found on a Muddled Libra rogue host. Learn how they target domain controllers and use search engines to aid their attacks.

unit42.paloaltonetworks.com

During a September 2025 incident response investigation, Unit 42 discovered a rogue virtual machine (VM) which we believe with high confidence to be used by the cybercrime group Muddled Libra (aka Scattered Spider, UNC3944). The contents of this rogue VM and activity from the attack provide valuable insight into the operational playbook of this threat actor.

 

[Halp2001]

Muddled Libra is already bordering on the surreal and straight out of a manual… but a home user’s manual: before stealing emails, they stop to check the internet speed. I can already picture them complaining to the ISP because the loot won’t download in 4K.