Threat Group Assessment: Muddled Libra


Palo Alto researchers have added an additional section to this article that describes the evolution of Muddled Libra activity since the beginning for 2024. This group is a dynamic one, and as members cycle in and out of the group, its knowledgebase and skill set naturally shift. Its toolbox has now expanded to include:

  • Social engineering of both end users and helpdesks
  • Traditional phishing
  • Inside access to business process outsourcers
  • Ransomware affiliations for extortion

Read more…
Source: Palo Alto Unit 42


Sign up for our Newsletter
The latest news and insights delivered right to your inbox.


Related:

  • Russian govt hackers hit Ukraine with Cobalt Strike, CredoMap malware

    June 21, 2022

    The Ukrainian Computer Emergency Response Team (CERT) is warning that Russian hacking groups are exploiting the Follina code execution vulnerability in new phishing campaigns to install the CredoMap malware and Cobalt Strike beacons. The APT28 hacking group is believed to be sending emails containing a malicious document name “Nuclear Terrorism A Very Real Threat.rtf.”. The threat ...

  • Magecart attacks are still around. And they are becoming more stealthy

    June 21, 2022

    Magecart attacks are decreasing in number but are becoming more stealthy, with researchers highlighting potential server-side blindspots in tracking them. It’s not too often you hear about Magecart attacks. In the past few years, cybersecurity incidents that hit the headlines tended to involve attacks on core utilities and critical services, state-sponsored campaigns, ransomware, massive data breaches, ...

  • Avos ransomware group expands with new attack arsenal

    June 21, 2022

    Avos is a ransomware group first identified in 2021 initially targeting Windows machines. More recently, a new ransomware variant of AvosLocker, named after the group, is also targeting Linux environments. Well-funded and financially motivated, Avos has been active since June 2021 and follows the ransomware-as-a-service (RaaS) model, an affiliate program to recruit potential partners. The announcement ...

  • Microsoft 365 credentials targeted in new fake voicemail campaign

    June 20, 2022

    A new phishing campaign has been targeting U.S. organizations in the military, security software, manufacturing supply chain, healthcare and pharmaceutical sectors to steal Microsoft Office 365 and Outlook credentials. The operation is ongoing and the threat actor behind it uses fake voicemail notifications to lure victims into opening a malicious HTML attachment. According to researchers at cloud ...

  • Android-wiping BRATA malware is evolving into a persistent threat

    June 19, 2022

    The threat actor behind BRATA banking trojan has evolved their tactics and improved the malware with information-stealing capabilities. Italian mobile security company Cleafy has been tracking BRATA activity and noticed in the most recent campaigns changes that lead to longer persistence on the device. “The modus operandi now fits into an Advanced Persistent Threat (APT) activity pattern,” ...

  • QNAP ‘thoroughly investigating’ new DeadBolt ransomware attacks

    June 17, 2022

    Network-attached storage (NAS) vendor QNAP once again warned customers on Friday to secure their devices against a new campaign of attacks pushing DeadBolt ransomware. The company is urging users to update their NAS devices to the latest firmware version and ensure they’re not exposed to remote access over the Internet. “QNAP recently detected a new DeadBolt ransomware ...