The cyberthreat landscape witnessed a concerning evolution in 2025 as the notorious Muddled Libra threat group dramatically shifted their attack methodology, pivoting from traditional phishing campaigns to sophisticated voice-based social engineering targeting organizational call centers and help desks. The attack methodology follows a predictable yet effective pattern where threat actors contact organizational help desks while impersonating legitimate employees who have purportedly lost access to their multi-factor authentication devices. In alternative scenarios, the actors reverse the social engineering dynamic by directly contacting victims while masquerading as internal IT support staff, convincing targets to install remote management software that provides immediate system access. Rather than relying on their previously favored Oktapus phishing kit, Muddled Libra actors now engage in direct human manipulation through carefully orchestrated voice calls to organizational help desks. The threat actors have demonstrated remarkable adaptability, moving from long-term persistent campaigns to lightning-fast operations that achieve domain administrator privileges within approximately 40 minutes of initial access. This voice-centric approach has enabled Muddled Libra to establish persistence through various remote monitoring and management tools while simultaneously targeting existing systems management platforms and endpoint detection response solutions. The group’s cloud-first mentality drives them to immediately pivot toward Microsoft 365 and SharePoint environments for internal reconnaissance, often culminating in massive data exfiltration operations exceeding 100 gigabytes within two-day periods before deploying DragonForce ransomware through their partnership with the Slippery Scorpius RaaS program.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 28 Jul 2025 19:50:17 +0000