CINXE.COM

<!doctype html> <html lang="en-US"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="profile" href="https://gmpg.org/xfn/11"> <link rel="preconnect" href="https://www.paloaltonetworks.com"> <link rel="preconnect" href="https://cdn.cookielaw.org"> <link rel="preconnect" href="https://fonts.googleapis.com">  <script type="text/javascript"> var main_site_url = 'https://www.paloaltonetworks.com'; var maindomain_lang = 'https://www.paloaltonetworks.com'; function getParameterByName(name, url) { if(url == null){ url = window.location.href; } name = name.replace(/[\[\]]/g, '\\$&'); var regex = new RegExp('[?&]' + name + '(=([^&#]*)|&|#|$)'), results = regex.exec(url); if (!results) return null; if (!results[2]) return ''; return decodeURIComponent(results[2].replace(/\+/g, ' ')); } var container_q = getParameterByName('container'); var d_lang = 'en'; if(container_q != '' && container_q != null){ sessionStorage.setItem('container',container_q); location.href = 'https://unit42.paloaltonetworks.com/muddled-libra'; } </script> <link rel="preload" href="https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTop.min.css" as="style" onload="this.onload=null;this.rel='stylesheet'"> <noscript><link rel="stylesheet" href="https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTop.min.css"></noscript> <link rel="preload" href="https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTopProductNav.min.css" as="style" onload="this.onload=null;this.rel='stylesheet'"> <noscript><link rel="stylesheet" href="https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTopProductNav.min.css"></noscript> <link rel="preload" href="https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/deferedProductNav.min.css" as="style" onload="this.onload=null;this.rel='stylesheet'"> <noscript><link rel="stylesheet" href="https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/deferedProductNav.min.css"></noscript> <meta name='robots' content='index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1' /> <link rel="alternate" hreflang="en" href="https://unit42.paloaltonetworks.com/muddled-libra/" /> <link rel="alternate" hreflang="ja" href="https://unit42.paloaltonetworks.jp/muddled-libra/" /> <link rel="alternate" hreflang="x-default" href="https://unit42.paloaltonetworks.com/muddled-libra/" />  <title>Threat Group Assessment: Muddled Libra (Updated)</title> <meta name="description" content="Muddled Libra continues to evolve. From social engineering to adaptation of new technologies, significant time is spent breaking down organizational defenses." /> <link rel="canonical" href="https://unit42.paloaltonetworks.com/muddled-libra/" /> <meta property="og:locale" content="en_US" /> <meta property="og:type" content="article" /> <meta property="og:title" content="Threat Group Assessment: Muddled Libra (Updated)" /> <meta property="og:description" content="Muddled Libra continues to evolve. From social engineering to adaptation of new technologies, significant time is spent breaking down organizational defenses." /> <meta property="og:url" content="https://unit42.paloaltonetworks.com/muddled-libra/" /> <meta property="og:site_name" content="Unit 42" /> <meta property="article:published_time" content="2024-03-08T22:58:37+00:00" /> <meta property="article:modified_time" content="2024-06-07T19:09:25+00:00" /> <meta property="og:image" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/01_Ransomware_Category_1920x900.jpg" /> <meta property="og:image:width" content="1920" /> <meta property="og:image:height" content="900" /> <meta property="og:image:type" content="image/jpeg" /> <meta name="author" content="Kristopher Russo, Austin Dever, Amer Elsad" /> <meta name="twitter:card" content="summary_large_image" />  <link rel="alternate" type="application/rss+xml" title="Unit 42 » Feed" href="https://unit42.paloaltonetworks.com/feed/" /> <link rel="alternate" type="application/rss+xml" title="Unit 42 » Comments Feed" href="https://unit42.paloaltonetworks.com/comments/feed/" /> <link rel="alternate" type="application/rss+xml" title="Unit 42 » Threat Group Assessment: Muddled Libra (Updated) Comments Feed" href="https://unit42.paloaltonetworks.com/muddled-libra/feed/" /> <script type="text/javascript"> var globalConfig = {}; var webData = {}; webData.channel = "unit42"; webData.property = "unit42.paloaltonetworks.com"; webData.language = "en_us"; webData.pageType = "blogs"; webData.pageName = "unit42:muddled-libra"; webData.pageURL = "https://unit42.paloaltonetworks.com/muddled-libra"; webData.article_title = "Threat Group Assessment: Muddled Libra (Updated)"; webData.author = "Kristopher Russo,Austin Dever,Amer Elsad"; webData.published_time = "2024-03-08T14:58:37-08:00"; webData.description = "Muddled Libra continues to evolve. From social engineering to adaptation of new technologies, significant time is spent breaking down organizational defenses."; webData.keywords = "High Profile Threats,Malware,Threat Actor Groups,0ktapus,ALPHV,app-ID,BlackCat ransomware,MITRE,Muddled Libra,phishing,Scatter Swine,Scattered Spider,social engineering"; webData.resourceAssetID = "104eba50ade2720409eab9f72aff657a"; </script> <script type="text/javascript"> var globalConfig = {}; globalConfig.buildName = "UniqueResourceAssetsID_DEC022022"; </script> <meta property="og:likes" content="42"/> <meta property="og:readtime" content="13"/> <meta property="og:views" content="42,212"/> <meta property="og:date_created" content="March 8, 2024 at 2:58 PM"/> <meta property="og:post_length" content="3580"/> <meta property="og:category" content="High Profile Threats"/> <meta property="og:category" content="Malware"/> <meta property="og:category" content="Threat Actor Groups"/> <meta property="og:category_link" content="https://unit42.paloaltonetworks.com/category/top-cyberthreats/"/> <meta property="og:category_link" content="https://unit42.paloaltonetworks.com/category/malware/"/> <meta property="og:category_link" content="https://unit42.paloaltonetworks.com/category/threat-actor-groups/"/> <meta property="og:author" content="Kristopher Russo"/> <meta property="og:author" content="Austin Dever"/> <meta property="og:author" content="Amer Elsad"/> <meta property="og:authorlink" content="https://unit42.paloaltonetworks.com/author/"/> <meta property="og:authorlink" content="https://unit42.paloaltonetworks.com/author/"/> <meta property="og:authorlink" content="https://unit42.paloaltonetworks.com/author/"/> <meta property="og:author_image_link" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2018/11/unit-news-meta.svg"/> <meta property="og:author_image_link" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2018/11/unit-news-meta.svg"/> <meta property="og:author_image_link" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2018/11/unit-news-meta.svg"/> <meta name="post_tags" content="0ktapus,ALPHV,app-ID,BlackCat ransomware,MITRE,Muddled Libra,phishing,Scatter Swine,Scattered Spider,social engineering"/> <meta property="og:post_image" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/06/Threat-brief-r3d3.png"/> <script type="application/ld+json">{"@context":"https:\/\/schema.org","@type":"BlogPosting","headline":"Threat Group Assessment: Muddled Libra (Updated)","name":"Threat Group Assessment: Muddled Libra (Updated)","description":"Muddled Libra continues to evolve. From social engineering to adaptation of new technologies, significant time is spent breaking down organizational defenses.","url":"https:\/\/unit42.paloaltonetworks.com\/muddled-libra\/","mainEntityOfPage":"https:\/\/unit42.paloaltonetworks.com\/muddled-libra\/","datePublished":"March 8, 2024","articleBody":"Executive Summary\r\nMuddled Libra stands at the intersection of devious social engineering and nimble technology adaptation. With an intimate knowledge of enterprise information technology, this threat group presents a significant risk even to organizations with well-developed legacy cyber defenses.\r\n\r\nMuddled Libra\u2019s tactics can be fluid, adapting quickly to a target environment. They continue to use social engineering as their primary modus operandi, targeting a company's IT help support desk. For example, in under a few minutes, these threat actors successfully changed an account password and later reset the victim\u2019s MFA to gain access to their networks.\r\n\r\nMuddled Libra was first noted for targeting organizations in the software automation, outsourcing and telecommunications verticals. Since then, they\u2019ve expanded their targeting to include the technology, business process outsourcing, hospitality and more recently, financial industries. They show no signs of slowing.\r\n\r\nUnit 42 researchers and responders have investigated interrelated incidents from mid-2022 through the beginning of 2024, which we\u2019ve attributed to the threat group Muddled Libra. Initial attacks were highly structured and favored large business process outsourcing firms serving high-value cryptocurrency holders. We believe that when the threat actors exhausted those targets, they evolved into a ransomware affiliate model with extortion as their key objective.\r\n\r\nIn the cases we\u2019ve been involved with, we observed Muddled Libra performing the following activities:\r\n\r\n \tUsing NSOCKS and TrueSocks proxy services\r\n \tCreating email rules to forward emails from specific security vendors to the actors to monitor communications and those helping in the investigation\r\n \tDeploying a custom virtual machine into the environment\r\n \tUsing an open-source rootkit, bedevil (bdvl) to target VMware vCenter servers\r\n \tGaining administrative permissions\r\n \tHeavy use of anonymizing proxy services\r\n\r\nWe also believe that members of Muddled Libra speak English as a first language, which provides them greater ability to conduct their social engineering attacks with other English speakers. Muddled Libra has also been observed using AI to spoof victims\u2019 voices. Social media videos can be used by attackers to train AI models. The targets we\u2019ve observed seem to be primarily in the U.S.\r\n\r\nThwarting Muddled Libra requires interweaving tight security controls, diligent awareness training and vigilant monitoring.\r\n\r\nPalo Alto Networks customers are better protected from the threats described in this article through a modern security architecture built around Cortex XSIAM in concert with Cortex XDR. The Advanced URL Filtering and DNS Security Cloud-Delivered Security Services can help protect against command and control (C2) infrastructure, while App-ID can limit anonymization services allowed to connect to the network.\r\n\r\n\r\n\r\nRelated Unit 42 Topics\r\nMuddled Libra (related to Scattered Spider, Scatter Swine), 0ktapus, Social Engineering\r\n\r\n\r\n\r\nThreat Overview\r\nThe attack style defining Muddled Libra appeared on the cybersecurity radar in late 2022 with the release of the 0ktapus phishing kit. This malware kit offered the following features:\r\n\r\n \tA prebuilt hosting framework\r\n \tEasy C2 connectivity\r\n \tBundled attack templates\r\n\r\nThese options allowed attackers to emulate mobile authentication pages cheaply and easily.\r\n\r\nWith over 200 realistic fake authentication portals and some targeted smishing, attackers quickly gathered credentials and multifactor authentication (MFA) codes for over one hundred organizations.\r\n\r\nThe speed and breadth of these attacks caught many defenders off-guard. While smishing is not a new tactic, the 0ktapus framework commoditized what would typically require complex infrastructure and advanced technical skills, in a way that granted even low-skilled attackers a high attack success rate.\r\n\r\nThe sheer number of targets being hit with this kit created a fair amount of confusion regarding attribution in the research community. Previous reporting by Group-IB, CrowdStrike and Okta has documented and mapped many of these attacks to the following intrusion groups: 0ktapus, Scattered Spider and Scatter Swine.\r\n\r\nWhile these have been frequently treated as several names for one group, what these names actually define are:\r\n\r\n \tAn attack style using a common toolkit\r\n \tA social forum-based collaboration network\r\n \tAn Agile-like team structure\r\n\r\nMuddled Libra is a distinct group of actors using this tradecraft. In a 2023 blog posted on ALPHV\u2019s leak site, the attackers corroborated this view, claiming that previous researcher attribution models have been non-specific.\r\n\r\nDuring Unit 42 Incident Response investigations, we identified several cases we attribute to Muddled Libra. Muddled Libra has been responsible for a campaign of complex supply chain attacks, ultimately leading to high-value cryptocurrency targets.\r\n\r\nThis group has only intensified their campaign. They are shifting tactics to adapt to improving cyber defenses, and they are targeting to broaden their attack scope.\r\n\r\n[caption id=\"attachment_133068\" align=\"aligncenter\" width=\"600\"] Figure 1. Muddled Libra evolved tactics.[\/caption]\r\n\r\nUnit 42 has observed an extensive toolkit used in these attacks. This arsenal ranges from hands-on social engineering and smishing attacks to proficiency with niche penetration testing, forensics tools and even legitimate systems management software. This breadth of tooling gives Muddled Libra an edge over even a robust and modern cyber defense plan.\r\n\r\nIn incidents the Unit 42 team has investigated, Muddled Libra has been methodical in pursuing its goals and highly flexible with attack strategies. When an attack tactic is blocked, they have either rapidly pivoted to another vector or modified the target environment to enable their favored path.\r\n\r\nMuddled Libra has also repeatedly demonstrated a strong understanding of the modern incident response (IR) framework. This knowledge allows them to continue progressing toward their goals even as incident responders attempt to expel them from an environment. Once established, this threat group is difficult to eradicate. Unit 42 has observed them joining IR war rooms and creating rules within email security platforms to intercept and redirect incident response-related communication.\r\n\r\nInitially, Muddled Libra preferred targeting a victim\u2019s downstream customers using stolen data and, if allowed, would return repeatedly to the well to refresh their stolen dataset. Using this stolen data, the threat actor could return to prior victims even after the initial incident response.\r\n\r\nFurthermore, Muddled Libra appeared to have clear goals for its breaches versus just capitalizing on opportunistic access. They rapidly sought and stole information on downstream client environments and then used it to pivot into those environments.\r\n\r\nIn a notable departure from earlier tactics, in 2023, intelligence indicated that Muddled Libra joined the ALPHV\/Blackcat ransomware-as-a-service affiliate program. They wasted no time implementing this new tool set with a radical departure from previous tradecraft in favor of new attacks focused on data theft, encryption and enormous extortion demands.\r\n\r\nThe U.S. Justice Department interrupted ALPHV\u2019s operations shortly after these attacks began. Since this action, new Muddled Libra attacks have shifted to data theft with a simple extortion objective. Muddled Libra has demonstrated a strong understanding of their victims\u2019 \u201cline of business\u201d processes, and they strike at the heart of business operations.\r\nAttack Chain\r\nWhile each incident is unique, Unit 42 researchers have identified enough commonalities in tradecraft to attribute multiple incidents to Muddled Libra. Figure 1 shows the attack chain.\r\n\r\n[caption id=\"attachment_132977\" align=\"aligncenter\" width=\"700\"] Figure 2. Muddled Libra attack chain.[\/caption]\r\n\r\nWe have mapped these to the MITRE ATT&CK\u00ae framework, summarized below.\r\nReconnaissance\r\nMuddled Libra has consistently demonstrated an intimate knowledge of targeted organizations, including employee lists, job roles and cellular phone numbers. In some instances, threat actors likely obtained this data during earlier breaches against upstream targets.\r\n\r\nThreat actors also frequently obtain information packs from illicit data brokers such as the now-defunct Genesis and Russian Markets. This data is typically harvested from corporate and personal infected devices using malware such as Raccoon Stealer and RedLine Stealer.\r\n\r\nWith the early advent of bring-your-own-device (BYOD) policies and the popularity of hybrid work solutions, corporate data and credentials are frequently used and cached on personal devices. Decentralizing the management and protection of IT assets creates a lucrative targeting opportunity for information-stealing malware.\r\nResource Development\r\nLookalike domains used in smishing attacks are a consistent hallmark for Muddled Libra. This tactic is effective since mobile devices frequently truncate links in SMS messages. Malicious domain names frequently use the format of the organization name with a hyphen, followed by a service (like SSO, helpdesk or HR).\r\n\r\nEarly clusters of attacks attributed to the 0ktapus campaign consistently used domains registered via Porkbun or Namecheap and hosted on Digital Ocean infrastructure. These domains are short-lived, used only during the initial access phase, and they are quickly taken down before defenders can investigate. Recently, we\u2019ve observed Muddled Libra adding Metaregistrar and Hosting Concepts to their preferred registrar list, and their hosting has moved behind a large content delivery network (CDN) service.\r\n\r\nIn many investigations, Unit 42 observed the use of the 0ktapus phishing kit for credential harvesting. Group-IB has done a great deep dive analysis of this versatile kit, which is widely available in the criminal underground. It requires little skill to stand up and configure, making it an ideal tool for highly targeted smishing attacks. Since its introduction, other threat groups have adopted this kit, and it continues to evolve.\r\nInitial Access\r\nIn all incidents where Unit 42 could determine an initial access vector, smishing and helpdesk social engineering were involved. In most early incidents, the threat actor sent a lure message directly to the targeted employees\u2019 cellphones, claiming they needed to update account information or reauthenticate to a corporate application. Messages contained a link to a spoofed corporate domain designed to emulate a familiar login page.\r\n\r\nLikely due to organizations\u2019 large-scale phase-out of SMS as a secondary authentication factor, Muddled Libra has begun to move away from smishing as an initial entry vector. New cases indicate that this group pervasively uses direct social engineering.\r\n\r\nHelpdesk and customer service agents are particularly high-value targets. Unit 42 has observed Muddled Libra using a combination of open-source intelligence and previously compromised sensitive data to get help desk agents to reset both passwords and MFA on the same call.\r\n\r\nThese attacks are convincing and persistent. They focus on wearing the agent\u2019s defenses down, running up the call length and ultimately bypassing security restrictions that could have prevented these attacks.\r\nPersistence\r\nMuddled Libra was particularly focused on maintaining access to targeted environments. While threat actors commonly use a free or demo version of a remote monitoring and management (RMM) tool during intrusions, Muddled Libra often installed half a dozen or more of these utilities. They did this to ensure they would maintain a backdoor into the environment even if one were discovered.\r\n\r\nUsing commercial RMM tools is particularly problematic as these tools are legitimate, business-critical applications that Muddled Libra abuses. None of these tools are inherently malicious and they are frequently used in the day-to-day administration of many enterprise networks. Defenders should weigh the risks of an outright block versus carefully monitoring their use.\r\n\r\nObserved tools included Zoho Assist, AnyDesk, Splashtop, TeamViewer, ITarian, FleetDeck, ASG Remote Desktop, RustDesk and ManageEngine RMM. Unit 42 recommends organizations block by signer any RMM tools that they have not sanctioned for use within the enterprise.\r\n\r\nMuddled Libra has also demonstrated familiarity with cloud platforms, both hosted and software as a service (SaaS). They will use these platforms to establish a foothold within the organization, as these resources are unlikely to be monitored like traditional assets and systems. Unit 42 has a separate article with much more detail on cloud targeting.\r\n\r\nNotably, recent attacks indicate that long-term persistence is no longer this group\u2019s primary objective. Instead, they\u2019ve moved to a more traditional \u201cencrypt and extort\u201d model. Targeting has broadened to include large organizations more likely to have the capability to pay large ransoms. Once this group learns and understands the infrastructure and software used in an industry, they tend to target other organizations in the same vertical.\r\nDefense Evasion\r\nDemonstrating proficiency with many security controls, Muddled Libra evaded common defenses.\r\n\r\nTheir tactics have included the following:\r\n\r\n \tDisabling antivirus and host-based firewalls\r\n \tAttempting to delete firewall profiles\r\n \tCreating defender exclusions\r\n \tDeactivating or uninstalling EDR and other monitoring products\r\n \tStanding up unmanaged cloud virtual machines\r\n \tElevating access in virtual desktop environments\r\n\r\nAttackers also re-enabled and used existing Active Directory accounts to avoid triggering common security information and event management (SIEM) monitoring rules. We also observed them operating within endpoint detection and response (EDR) administrative consoles to clear alerts. We cover this attack in detail in our article. \r\n\r\nMuddled Libra has been careful with operational security, consistently using commercial virtual private network (VPN) services to obscure their geographic location and attempt to blend in with legitimate traffic. The group preferred Mullvad VPNin early incidents Unit 42 researchers investigated, but we also observed multiple other vendors, such as ExpressVPN, NordVPN, Ultrasurf, Easy VPN and ZenMate.\r\n\r\nUnit 42 researchers have more recently observed the usage of rotating residential proxy services as well. As reported by Brian Krebs in 2021, residential proxy services typically hide their code inside browser extensions, allowing operators to lease out residential connections for legitimate and malicious use alike.\r\n\r\nDefenders should look for multiple users authenticating from new residential IPs over short periods.\r\nCredential Access\r\nOnce attackers captured the credentials they would use for initial access, the attacker took one of two paths. In one case, they continued with the authentication process from a machine they controlled and immediately requested a MFA code. In the other cases, they generated an endless string of MFA prompts until the user accepted one out of fatigue or frustration (aka MFA bombing).\r\n\r\nIn cases where MFA bombing was unsuccessful, the threat actor contacted the organization\u2019s help desk, claiming to be the victim. They would then state that their phone was inoperable or misplaced and would request to enroll a new, attacker-controlled MFA authentication device.\r\n\r\nMuddled Libra\u2019s social engineering success is notable. Across many cases, the group demonstrated unusually high comfort in engaging the help desk and other employees over the phone, convincing them to engage in unsafe actions.\r\n\r\nIf targeted accounts do not have the desired access, Muddled Libra will use the account for discovery and repeat the process until they have the access necessary for their attack.\r\n\r\nAfter establishing a foothold, Muddled Libra moves quickly to elevate access. Standard credential-stealing tools employed in this phase included Mimikatz, ProcDump, DCSync, Raccoon Stealer and LAPS Toolkit. When the group could not quickly locate elevated credentials, they turned to Impacket, MIT Kerberos Ticket Manager and NTLM Encoder\/Decoder.\r\n\r\nIn some incidents, Muddled Libra employed specialized tools to search memory contents for credentials directly using MAGNET RAM Capture and Volatility. As these are legitimate forensics tools that Muddled Libra is abusing, defenders should carefully consider the downsides to blocking them, including the possibility of security team activity generating false positive alerts.\r\n\r\nThis tactic raises an important flag for defenders. Even though user accounts might be protected through privileged access management, endpoints often have elevated credentials cached for system management or to run services. Care should be taken to ensure that privileged credentials only have the permissions necessary to perform their intended functions and are closely monitored for deviations from normal behavior.\r\nDiscovery\r\nMuddled Libra\u2019s discovery methods were consistent from case to case. In our investigations, the group used well-known, legitimate penetration testing tools to map the environment and identify targets of interest. Their toolkit included SharpHound, ADRecon, AD Explorer, Angry IP Scanner, Angry Port Scanner and CIMplant.\r\n\r\nMuddled Libra also proved proficient with commercial systems administration tools such as ManageEngine, LANDESK and PDQ Inventory for discovery and automation. They also used VMware PowerCLI and RVTools in virtual environments.\r\n\r\nDefenders should be vigilant in identifying unsanctioned network scanning and unusual rapid access to multiple systems or access that crosses logical business segments.\r\nExecution\r\nIn early incidents, Muddled Libra appeared primarily interested in data and credential theft, and we infrequently saw remote execution. However, more recent cases included a BlackCat ransomware component. When needed, the group accomplishes execution with Sysinternals PsExec or Impacket. We also observed Muddled Libra using the victim\u2019s system management tools to execute malicious code. They used captured credentials or authentication hashes for privilege elevation.\r\nLateral Movement\r\nMuddled Libra preferred using remote desktop protocol (RDP) connections from compromised computers for lateral movement inside the target environment. This approach helps to minimize discoverable external network artifacts in logs that could alert defenders and help investigators with attribution.\r\nCollection\r\nMuddled Libra is familiar with typical enterprise data management. They\u2019ve successfully located sensitive organizational data in a wide range of common data repositories, both structured and unstructured, including the following:\r\n\r\n \tConfluence\r\n \tCode Management Platforms\r\n \tElastic\r\n \tMicrosoft Office 365 suite (e.g., SharePoint, Outlook)\r\n \tInternal messaging platforms\r\n\r\nThey also targeted data in the victim\u2019s environment from typical service desk applications like Zendesk and Jira. Mined data included credentials for further compromise and they directly targeted sensitive and confidential information.\r\n\r\nUnit 42 researchers observed Muddled Libra using the open-source data mining tool Snaffler and native tools to search registries, local drives and network shares for keywords like *password*, and securestring. Threat actors then staged compromised data and archived it for exfiltration using WinRAR or PeaZip. They used stolen sensitive data as leverage in extortion demands.\r\n\r\nDefenders should regularly perform keyword searches in their environments to identify improperly stored data and credentials as part of a broader data management and classification strategy.\r\nExfiltration\r\nIn several cases, Muddled Libra attempted to establish reverse proxy shells or secure shell (SSH) tunnels for command and control exfiltration. We observed them using tunneling software such as RSocx. Muddled Libra also used common file transfer sites such as put[.]io, transfer[.]sh, wasabi[.]com, or gofile[.]io to both exfiltrate data and pull down attack tools. We also observed the use of Cyberduck as a file transfer agent.\r\n\r\nThreat actors often abuse, take advantage of or subvert legitimate products such as Cyberduck for malicious purposes. This does not necessarily imply a flaw or malicious quality to the legitimate product being abused.\r\nImpact\r\nThe early impact directly observed by Unit 42 was some combination of the theft of sensitive data and Muddled Libra leveraging trusted organizational infrastructure for follow-on attacks on downstream customers.\r\n\r\nLater attacks were much more destructive, and they included the following activities:\r\n\r\n \tDisruption of operations\r\n \tDamage to sensitive systems\r\n \tEncryption of critical data\r\n \tEnormous extortion demands\r\n\r\nConclusion and Mitigations\r\nMuddled Libra is a methodical adversary that substantially threatens enterprise organizations across many industries. They are proficient in a range of security disciplines, able to thrive in relatively secure environments and execute rapidly to complete devastating attack chains.\r\n\r\nMuddled Libra doesn\u2019t bring anything new to the table except for the uncanny knack of stringing together weaknesses to disastrous effect. Defenders must combine cutting-edge technology, comprehensive security hygiene and external threats and internal events monitoring. The high-stakes risk of operational disruption and loss of sensitive data is a strong incentive for modernizing information security programs.\r\n\r\nIn addition to the mitigation recommendations included in the Attack Chain subsections above, we recommend organizations:\r\n\r\n \tImplement MFA and single sign-on (SSO) wherever possible \u2013 preferably Fast Identity Online (FIDO). In the cases we investigated, Muddled Libra was most successful when they convinced employees to help them bypass MFA. When they could not quickly establish a foothold, they appeared to move on to other targets.\r\n \tDefenders should consider implementing security alerting and account lockout on repeated MFA failures.\r\n \tImplement comprehensive user awareness training. Muddled Libra is heavily focused on social engineering help desk and other employees via phone and SMS. Employee training on identifying suspicious non-email-based outreach is critical.\r\n \tIn case of a breach, assume this threat actor knows the modern IR playbook. Consider setting up out-of-band response mechanisms.\r\n \tEnsure credential hygiene is up to date. Only grant access when and for as long as necessary.\r\n \tMonitoring and managing access to critical defenses and controls is essential to defending against skilled attackers. Rights should be restricted to only what is necessary for each job function. Identity threat detection and response (ITDR) tools such as Cortex XDR and Cortex XSIAM should be used to monitor for abnormal behavior.\r\n \tDefenders should limit anonymization services allowed to connect to the network, ideally at the firewall by App-ID.\r\n\r\nTo defend against the threats described in this blog, Palo Alto Networks further recommends that organizations employ the following capabilities:\r\n\r\n \tNetwork security: delivered through a Next-Generation Firewall (NGFW) configured with machine learning enabled and best-in-class, cloud-delivered security services. This includes, for example, threat prevention, URL filtering, DNS security and a malware prevention engine capable of identifying and blocking malicious samples and infrastructure.\r\n \tEndpoint security: delivered through an XDR solution that can identify malicious code through advanced machine learning and behavioral analytics. This solution should be configured to act on and block threats in real-time as they are identified.\r\n \tSecurity automation: delivered through an XSOAR or XSIAM solution capable of providing SOC analysts with a comprehensive understanding of the threat derived by stitching together data from endpoints, network, cloud and identity systems.\r\n\r\nIf you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:\r\n\r\n \tNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\n \tEMEA: +31.20.299.3130\r\n \tAPAC: +65.6983.8730\r\n \tJapan: +81.50.1790.0200\r\n\r\nIndicators of Compromise\r\nIPs observed during this activity:\r\n\r\n \t104.247.82[.]11\r\n \t105.101.56[.]49\r\n \t105.158.12[.]236\r\n \t134.209.48[.]68\r\n \t137.220.61[.]53\r\n \t138.68.27[.]0\r\n \t146.190.44[.]66\r\n \t149.28.125[.]96\r\n \t157.245.4[.]113\r\n \t159.223.208[.]47\r\n \t159.223.238[.]0\r\n \t162.19.135[.]215\r\n \t164.92.234[.]104\r\n \t165.22.201[.]77\r\n \t167.99.221[.]10\r\n \t172.96.11[.]245\r\n \t185.56.80[.]28\r\n \t188.166.92[.]55\r\n \t193.149.129[.]177\r\n \t207.148.0[.]54\r\n \t213.226.123[.]104\r\n \t35.175.153[.]217\r\n \t45.156.85[.]140\r\n \t45.32.221[.]250\r\n \t64.227.30[.]114\r\n \t79.137.196[.]160\r\n \t92.99.114[.]231\r\n\r\nAdditional Resources\r\n\r\n \tMuddled Libra Discussion With Unit 42 Senior Consultant Stephanie Regan \u2013 Threat Vector Podcast, Unit 42 on CyberWire Daily\r\n \tExposing Muddled Libra's Meticulous Tactics With Unit 42 Senior Researcher Kristopher Russo \u2013 Threat Vector Podcast, Unit 42 on CyberWire Daily\r\n \tMuddled Libra's Evolution to the Cloud \u2013 Unit 42, Palo Alto Networks\r\n \tRoasting 0ktapus: The phishing campaign going after Okta identity credentials \u2013\u00a0Group-IB\r\n \tNot a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies \u2013 CrowdStrike\r\n \tDetecting Scatter Swine: Insights into a Relentless Phishing Campaign \u2013 Okta\r\n \tI Solemnly Swear My Driver Is Up to No Good: Hunting for Attestation Signed Malware \u2013 Mandiant\r\n \tIs Your Browser Extension a Botnet Backdoor? \u2013 Krebs on Security\r\n \tSuspicion stalks Genesis Market\u2019s competitors following FBI takedown \u2013 The Record, Recorded Future News\r\n\r\nUpdated March 19, 2024, at 6:52 a.m. PT to correct Figure 1.\u00a0","publisher":{"@type":"Organization","@id":"#panworg"},"image":{"@type":"ImageObject","url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2024\/06\/01_Ransomware_Category_1920x900-300x300.jpg","width":300,"height":300},"speakable":{"@type":"SpeakableSpecification","xPath":["\/html\/head\/title","\/html\/head\/meta[@name='description']\/@content"]},"author":[{"@type":"Person","name":"Kristopher Russo"},{"@type":"Person","name":"Austin Dever"},{"@type":"Person","name":"Amer Elsad"}]}</script><link rel='stylesheet' id='crayon-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/crayon-syntax-highlighter/css/min/crayon.min.css?ver=_2.7.2_beta' media='all' /> <style id='co-authors-plus-coauthors-style-inline-css'> .wp-block-co-authors-plus-coauthors.is-layout-flow [class*=wp-block-co-authors-plus]{display:inline} </style> <style id='co-authors-plus-avatar-style-inline-css'> .wp-block-co-authors-plus-avatar :where(img){height:auto;max-width:100%;vertical-align:bottom}.wp-block-co-authors-plus-coauthors.is-layout-flow .wp-block-co-authors-plus-avatar :where(img){vertical-align:middle}.wp-block-co-authors-plus-avatar:is(.alignleft,.alignright){display:table}.wp-block-co-authors-plus-avatar.aligncenter{display:table;margin-inline:auto} </style> <style id='co-authors-plus-image-style-inline-css'> .wp-block-co-authors-plus-image{margin-bottom:0}.wp-block-co-authors-plus-image :where(img){height:auto;max-width:100%;vertical-align:bottom}.wp-block-co-authors-plus-coauthors.is-layout-flow .wp-block-co-authors-plus-image :where(img){vertical-align:middle}.wp-block-co-authors-plus-image:is(.alignfull,.alignwide) :where(img){width:100%}.wp-block-co-authors-plus-image:is(.alignleft,.alignright){display:table}.wp-block-co-authors-plus-image.aligncenter{display:table;margin-inline:auto} </style> <style id='safe-svg-svg-icon-style-inline-css'> .safe-svg-cover{text-align:center}.safe-svg-cover .safe-svg-inside{display:inline-block;max-width:100%}.safe-svg-cover svg{height:100%;max-height:100%;max-width:100%;width:100%} </style> <style id='classic-theme-styles-inline-css'> /*! This file is auto-generated */ .wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none} </style> <style id='global-styles-inline-css'> :root{--wp--preset--aspect-ratio--square: 1;--wp--preset--aspect-ratio--4-3: 4/3;--wp--preset--aspect-ratio--3-4: 3/4;--wp--preset--aspect-ratio--3-2: 3/2;--wp--preset--aspect-ratio--2-3: 2/3;--wp--preset--aspect-ratio--16-9: 16/9;--wp--preset--aspect-ratio--9-16: 9/16;--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);--wp--preset--shadow--deep: 12px 12px 50px rgba(0, 0, 0, 0.4);--wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px rgba(0, 0, 0, 1);}:where(.is-layout-flex){gap: 0.5em;}:where(.is-layout-grid){gap: 0.5em;}body .is-layout-flex{display: flex;}.is-layout-flex{flex-wrap: wrap;align-items: center;}.is-layout-flex > :is(*, div){margin: 0;}body .is-layout-grid{display: grid;}.is-layout-grid > :is(*, div){margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;} :where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;} :where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;} :root :where(.wp-block-pullquote){font-size: 1.5em;line-height: 1.6;} </style> <link rel='stylesheet' id='post-views-counter-frontend-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/post-views-counter/css/frontend.min.css?ver=1.4.7' media='all' /> <link rel='stylesheet' id='wpml-legacy-post-translations-0-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/sitepress-multilingual-cms/templates/language-switchers/legacy-post-translations/style.min.css?ver=1' media='all' /> <link rel='stylesheet' id='unit42-v6-style-css' href='https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/style.css?ver=1.0.0' media='all' /> <link rel='stylesheet' id='unit42-v6-head-styles-css' href='https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/css/head-styles.css?ver=1.0.0' media='all' /> <link rel='stylesheet' id='unit42-v5-custom-styles-css' href='https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/css/main.css?ver=1.0.0' media='all' /> <link rel='stylesheet' id='unit42-v6-plugin-styles-css' href='https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/css/plugin.css?ver=1.0.0' media='all' /> <link rel='stylesheet' id='unit42-v6-custom-styles-css' href='https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/css/main-redesign.css?ver=1.0.0' media='all' /> <link rel='stylesheet' id='like-dislike-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/like-dislike-counter-for-posts-pages-and-comments/css/ldc-lite.css?ver=1.0.0' media='all' /> <script src="https://unit42.paloaltonetworks.com/wp-includes/js/jquery/jquery.min.js?ver=3.7.1" id="jquery-core-js"></script> <script src="https://unit42.paloaltonetworks.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1" id="jquery-migrate-js"></script> <script id="crayon_js-js-extra"> var CrayonSyntaxSettings = {"version":"_2.7.2_beta","is_admin":"0","ajaxurl":"https:\/\/unit42.paloaltonetworks.com\/wp-admin\/admin-ajax.php","prefix":"crayon-","setting":"crayon-setting","selected":"crayon-setting-selected","changed":"crayon-setting-changed","special":"crayon-setting-special","orig_value":"data-orig-value","debug":""}; var CrayonSyntaxStrings = {"copy":"Press %s to Copy, %s to Paste","minimize":"Click To Expand Code"}; </script> <script src="https://unit42.paloaltonetworks.com/wp-content/plugins/crayon-syntax-highlighter/js/min/crayon.min.js?ver=_2.7.2_beta" id="crayon_js-js"></script> <script id="post-views-counter-frontend-js-before"> var pvcArgsFrontend = {"mode":"js","postID":128741,"requestURL":"https:\/\/unit42.paloaltonetworks.com\/wp-admin\/admin-ajax.php","nonce":"316442e30f","dataStorage":"cookies","multisite":false,"path":"\/","domain":""}; </script> <script src="https://unit42.paloaltonetworks.com/wp-content/plugins/post-views-counter/js/frontend.min.js?ver=1.4.7" id="post-views-counter-frontend-js"></script> <script id="wpml-xdomain-data-js-extra"> var wpml_xdomain_data = {"css_selector":"wpml-ls-item","ajax_url":"https:\/\/unit42.paloaltonetworks.com\/wp-admin\/admin-ajax.php","current_lang":"en","_nonce":"f0e37bbbe8"}; </script> <script src="https://unit42.paloaltonetworks.com/wp-content/plugins/sitepress-multilingual-cms/res/js/xdomain-data.js?ver=4.6.13" id="wpml-xdomain-data-js" defer data-wp-strategy="defer"></script> <link rel="https://api.w.org/" href="https://unit42.paloaltonetworks.com/wp-json/" /><link rel="alternate" title="JSON" type="application/json" href="https://unit42.paloaltonetworks.com/wp-json/wp/v2/posts/128741" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://unit42.paloaltonetworks.com/xmlrpc.php?rsd" /> <meta name="generator" content="WordPress 6.6.2" /> <link rel='shortlink' href='https://unit42.paloaltonetworks.com/?p=128741' /> <link rel="alternate" title="oEmbed (JSON)" type="application/json+oembed" href="https://unit42.paloaltonetworks.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Funit42.paloaltonetworks.com%2Fmuddled-libra%2F" /> <link rel="alternate" title="oEmbed (XML)" type="text/xml+oembed" href="https://unit42.paloaltonetworks.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Funit42.paloaltonetworks.com%2Fmuddled-libra%2F&format=xml" /> <meta name="generator" content="WPML ver:4.6.13 stt:1,28;" /> <meta name="google-site-verification" content="zHZtYOWm9hm4SZgsH7wqiYcOwmsAsxDUDU4UD1QxB40" /><style>#wpdevart_lb_overlay{background-color:#000000;} #wpdevart_lb_overlay.wpdevart_opacity{opacity:0.8 !important;} #wpdevart_lb_main_desc{ -webkit-transition: opacity 0.3s ease; -moz-transition: opacity 0.3s ease; -o-transition: opacity 0.3s ease; transition: opacity 0.3s ease;} #wpdevart_lb_information_content{ -webkit-transition: opacity 0.3s ease; -moz-transition: opacity 0.3s ease; -o-transition: opacity 0.3s ease; transition: opacity 0.3s ease;} #wpdevart_lb_information_content{ width:100%; padding-top:0px; padding-bottom:0px; } #wpdevart_info_counter_of_imgs{ display: inline-block; padding-left:15px; padding-right:4px; font-size:20px; color:#000000; } #wpdevart_info_caption{ display: inline-block; padding-left:15px; padding-right:4px; font-size:20px; color:#000000; } #wpdevart_info_title{ display: inline-block; padding-left:5px; padding-right:5px; font-size:15px; color:#000000; } @-webkit-keyframes rotate { to {-webkit-transform: rotate(360deg);} from {-webkit-transform: rotate(0deg);} } @keyframes rotate { to {transform: rotate(360deg);} from {transform: rotate(0deg);} } #wpdevart_lb_loading_img,#wpdevart_lb_loading_img_first{ -webkit-animation: rotate 2s linear infinite; animation: rotate 2s linear infinite; } </style> <link rel="icon" href="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-Unit42-180x180-1.png" sizes="32x32" /> <link rel="icon" href="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-Unit42-180x180-1.png" sizes="192x192" /> <link rel="apple-touch-icon" href="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-Unit42-180x180-1.png" /> <meta name="msapplication-TileImage" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-Unit42-180x180-1.png" /> <script>var $ = jQuery;</script> <script type="text/javascript"> ;(function(win, doc, style, timeout) { var STYLE_ID = 'at-body-style'; function getParent() { return doc.getElementsByTagName('head')[0]; } function addStyle(parent, id, def) { if (!parent) { return; } var style = doc.createElement('style'); style.id = id; style.innerHTML = def; parent.appendChild(style); } function removeStyle(parent, id) { if (!parent) { return; } var style = doc.getElementById(id); if (!style) { return; } parent.removeChild(style); } addStyle(getParent(), STYLE_ID, style); setTimeout(function() { removeStyle(getParent(), STYLE_ID); }, timeout); }(window, document, "body {visibility:hidden !important}", 3000)); </script> <script src="https://assets.adobedtm.com/9273d4aedcd2/0d76ae0322d7/launch-425c423d843b.min.js" async></script> <script type="text/javascript" src="https://www.paloaltonetworks.com/content/dam/pan/en_US/includes/attribution.js"></script> <script type="text/javascript"> var isIE11 = !!navigator.userAgent.match(/Trident.*rv\:11\./); if(isIE11){ var polyfill = 'https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/scripts/polyfill.min.js'; document.write('<script type="text/javascript" src="'+polyfill+'">\x3C/script>'); } /** * String.prototype.replaceAll() polyfill * https://gomakethings.com/how-to-replace-a-section-of-a-string-with-another-one-with-vanilla-js/ * @author Chris Ferdinandi * @license MIT */ if (!String.prototype.replaceAll) { String.prototype.replaceAll = function(str, newStr){ // If a regex pattern if (Object.prototype.toString.call(str).toLowerCase() === '[object regexp]') { return this.replace(str, newStr); } // If a string return this.replace(new RegExp(str, 'g'), newStr); }; } /*! lozad.js - v1.16.0 - 2020-09-06 */ !function(t,e){"object"==typeof exports&&"undefined"!=typeof module?module.exports=e():"function"==typeof define&&define.amd?define(e):t.lozad=e()}(this,function(){"use strict"; /** * Detect IE browser * @const {boolean} * @private */var g="undefined"!=typeof document&&document.documentMode,f={rootMargin:"0px",threshold:0,load:function(t){if("picture"===t.nodeName.toLowerCase()){var e=t.querySelector("img"),r=!1;null===e&&(e=document.createElement("img"),r=!0),g&&t.getAttribute("data-iesrc")&&(e.src=t.getAttribute("data-iesrc")),t.getAttribute("data-alt")&&(e.alt=t.getAttribute("data-alt")),r&&t.append(e)}if("video"===t.nodeName.toLowerCase()&&!t.getAttribute("data-src")&&t.children){for(var a=t.children,o=void 0,i=0;i<=a.length-1;i++)(o=a[i].getAttribute("data-src"))&&(a[i].src=o);t.load()}t.getAttribute("data-poster")&&(t.poster=t.getAttribute("data-poster")),t.getAttribute("data-src")&&(t.src=t.getAttribute("data-src")),t.getAttribute("data-srcset")&&t.setAttribute("srcset",t.getAttribute("data-srcset"));var n=",";if(t.getAttribute("data-background-delimiter")&&(n=t.getAttribute("data-background-delimiter")),t.getAttribute("data-background-image"))t.style.backgroundImage="url('"+t.getAttribute("data-background-image").split(n).join("'),url('")+"')";else if(t.getAttribute("data-background-image-set")){var d=t.getAttribute("data-background-image-set").split(n),u=d[0].substr(0,d[0].indexOf(" "))||d[0];// Substring before ... 1x u=-1===u.indexOf("url(")?"url("+u+")":u,1===d.length?t.style.backgroundImage=u:t.setAttribute("style",(t.getAttribute("style")||"")+"background-image: "+u+"; background-image: -webkit-image-set("+d+"); background-image: image-set("+d+")")}t.getAttribute("data-toggle-class")&&t.classList.toggle(t.getAttribute("data-toggle-class"))},loaded:function(){}};function A(t){t.setAttribute("data-loaded",!0)}var m=function(t){return"true"===t.getAttribute("data-loaded")},v=function(t){var e=1<arguments.length&&void 0!==arguments[1]?arguments[1]:document;return t instanceof Element?[t]:t instanceof NodeList?t:e.querySelectorAll(t)};return function(){var r,a,o=0<arguments.length&&void 0!==arguments[0]?arguments[0]:".lozad",t=1<arguments.length&&void 0!==arguments[1]?arguments[1]:{},e=Object.assign({},f,t),i=e.root,n=e.rootMargin,d=e.threshold,u=e.load,g=e.loaded,s=void 0;"undefined"!=typeof window&&window.IntersectionObserver&&(s=new IntersectionObserver((r=u,a=g,function(t,e){t.forEach(function(t){(0<t.intersectionRatio||t.isIntersecting)&&(e.unobserve(t.target),m(t.target)||(r(t.target),A(t.target),a(t.target)))})}),{root:i,rootMargin:n,threshold:d}));for(var c,l=v(o,i),b=0;b<l.length;b++)(c=l[b]).getAttribute("data-placeholder-background")&&(c.style.background=c.getAttribute("data-placeholder-background"));return{observe:function(){for(var t=v(o,i),e=0;e<t.length;e++)m(t[e])||(s?s.observe(t[e]):(u(t[e]),A(t[e]),g(t[e])))},triggerLoad:function(t){m(t)||(u(t),A(t),g(t))},observer:s}}}); </script>   </head> <body class="post-template-default single single-post postid-128741 single-format-standard no-sidebar"> <header class="haeder py-15 position-relative z-index-2" style="display: none;"> <div class="container px-sm-30 px-35"> <div class="row"> <div class="first-logo col-sm-auto col-6 mb-sm-0 mb-40 text-sm-center order-1"> <a href="https://www.paloaltonetworks.com/"> <img src="/wp-content/uploads/2021/07/PANW_Parent.png" width="140px" alt="Logo" /> </a> </div> <div class="col-sm-auto col-6 text-sm-center order-sm-2 order-4 second-logo-unit"> <a href="https://unit42.paloaltonetworks.com/"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/unit42-logo-white.svg" class="attachment-full size-full" alt="Unit42 Logo" width="150" height="35"/> </a> </div> <div class="col-auto d-sm-none ml-auto mb-40 order-2"> <button class="btn__search" data-toggle="collapse" data-target="#search" aria-label="search"><i class="ui ui-1"></i></button> </div> <div id="search" class="collapse d-sm-block col-sm-auto col-12 ml-auto order-3"> <div class="pt-sm-0 pt-20 pb-sm-0 pb-40 mt-sm-0 mt-n30"> <input type="search" placeholder="Search Unit 42" id="innerSearch" class="header__search" value="" required aria-label="Inner Search"> </div> </div> <div class="col-auto d-sm-none d-flex ml-auto align-items-center order-5"> <button class="btn__menu rounded" data-toggle="collapse" data-target="#navigation">Menu</button> </div> </div> </div> </header> <nav id="navigation" class="site-nav collapse d-sm-block pb-20 mt-sm-10" style="display: none!important;"> <div class="container px-sm-30"> <ul id="menu-primary-navigation" class="main-menu d-sm-flex font-weight-medium"><li id="menu-item-97290" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-97290"><a href="https://unit42.paloaltonetworks.com/tools/">Tools</a></li> <li id="menu-item-41" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-41"><a href="https://unit42.paloaltonetworks.com/atoms/">ATOMs</a></li> <li id="menu-item-119884" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-119884"><a target="_blank" rel="noopener" href="https://www.paloaltonetworks.com/unit42">Security Consulting</a></li> <li id="menu-item-81229" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-81229"><a href="https://unit42.paloaltonetworks.com/about-unit-42/">About Us</a></li> <li id="menu-item-121229" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-121229"><a href="https://start.paloaltonetworks.com/contact-unit42.html"><b style="color:#C84727">Under Attack?</b></a></li> </ul> </div> </nav> <div class="panClean pan-template-home" id="main-nav-menu-cont" style="display:none;"> <div class="cleanHeader mainNavigationComp baseComponent parbase"> <div class="productNav2021Component dark default" id="PAN_2021_NAV_ASYNC"> </div> </div> <div class="cleanTopHtml htmlComp baseComponent parbase"><div class="base-component-spacer spacer-none "></div> </div> </div>  <script type="text/javascript"> function getCookie(cname) { var name = cname + "="; var decodedCookie = decodeURIComponent(document.cookie); var ca = decodedCookie.split(';'); for(var i = 0; i <ca.length; i++) { var c = ca[i]; while (c.charAt(0) == ' ') { c = c.substring(1); } if (c.indexOf(name) == 0) { return c.substring(name.length, c.length); } } return ""; } var referer = "";//sessionStorage.container; var pcontainer = sessionStorage.getItem("container"); var searchResultsPagePath = ""; if(((pcontainer) && pcontainer.indexOf('Prisma')!=-1)){ referer = 'Prisma' ; } else if(((pcontainer) && pcontainer.indexOf('Cortex')!=-1)){ referer = 'Cortex' ; } else if(((pcontainer) && pcontainer.indexOf('Sase')!=-1)){ referer = 'Sase' ; } else if(((pcontainer) && pcontainer.indexOf('Unit')!=-1)){ referer = 'Unit' ; } else if(((pcontainer) && pcontainer.indexOf('Ngfw')!=-1)){ referer = 'Ngfw' ; } var fromRef = document.referrer; var nContainer = getCookie("navContainer"); if(nContainer){//If user is coming from main site, we need to reset the container if(fromRef && fromRef.indexOf("prismacloud.io")!=-1){ referer = 'Prisma' ; sessionStorage.setItem("container","Prisma"); } else if(fromRef.indexOf("paloaltonetworks.com")!=-1 || fromRef.indexOf("paloaltonetworks.jp")!=-1 ){ if(nContainer.indexOf('Prisma') != -1){ referer = 'Prisma' ; sessionStorage.setItem("container","Prisma"); } if(nContainer.indexOf('Cortex') != -1){ referer = 'Cortex' ; sessionStorage.setItem("container","Cortex"); } if(nContainer.indexOf('Sase') != -1){ referer = 'Sase' ; sessionStorage.setItem("container","Sase"); } if(nContainer.indexOf('Unit') != -1){ referer = 'Unit' ; sessionStorage.setItem("container","Unit"); } if(nContainer.indexOf('Ngfw') != -1){ referer = 'Ngfw' ; sessionStorage.setItem("container","Ngfw"); } document.cookie = 'navContainer=; path=/; domain=.paloaltonetworks.com; expires=' + new Date(0).toUTCString(); } } if(referer != "Prisma" && referer != "Cortex" && referer != "Sase" && referer != "Unit" && referer != "Ngfw") { referer = 'Unit' ; sessionStorage.setItem("container","Unit"); } function callMainSitePrismaNavHTML(){ var referrer_domain = 'https://www.paloaltonetworks.com'; sessionStorage.setItem("domain",referrer_domain); if(referer == 'Prisma'){ var menu_url = referrer_domain+'/_jcr_content/globals/cleanHeaderPrisma.prismaRenderer.html'; searchResultsPagePath = referrer_domain+"/search/prismasearch"; } if(referer == 'Cortex'){ var menu_url = referrer_domain+'/_jcr_content/globals/cleanHeaderCortex.cortexRenderer.html'; searchResultsPagePath = referrer_domain+"/search/cortexsearch"; } if(referer == 'Sase'){ var menu_url = referrer_domain+'/_jcr_content/globals/cleanHeaderSase.saseRenderer.html'; searchResultsPagePath = referrer_domain+"/search/sasesearch"; } if(referer == 'Unit'){ var menu_url = 'https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/unit-nav-renderer.php'; searchResultsPagePath = referrer_domain+"/content/pan/en_US/search/unit42search"; } if(referer == 'Ngfw'){ var menu_url = 'https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/ngfw-cdss-nav-renderer.php'; searchResultsPagePath = referrer_domain+"/search/ngfwcdsssearch"; } httpGet(menu_url,'menu_html'); document.getElementById('main-nav-menu-cont').removeAttribute("style"); } function addStyle(styles) { /* Create style document */ var css = document.createElement('style'); css.type = 'text/css'; if (css.styleSheet) css.styleSheet.cssText = styles; else css.appendChild(document.createTextNode(styles)); /* Append style to the tag name */ document.getElementsByTagName("head")[0].appendChild(css); } function httpGet(theUrl,req_type) { if (window.XMLHttpRequest) { // code for IE7+, Firefox, Chrome, Opera, Safari xmlhttp=new XMLHttpRequest(); } else {// code for IE6, IE5 xmlhttp=new ActiveXObject("Microsoft.XMLHTTP"); } xmlhttp.onreadystatechange=function() { if (xmlhttp.readyState==4 && xmlhttp.status==200) { if(req_type == 'menu_html'){ var nav_text = xmlhttp.responseText.replaceAll('https://static.cloud.coveo.com/searchui/v2.9159/js/CoveoJsSearch.Lazy.min.js', ''); nav_text = nav_text.replaceAll('src="/', 'src="'+maindomain_lang+'/'); nav_text = nav_text.replaceAll("'/content", "'"+maindomain_lang+"/content"); document.getElementById("PAN_2021_NAV_ASYNC").innerHTML = nav_text.replaceAll('href="/', 'href="'+maindomain_lang+'/'); var lozad_back = document.getElementsByClassName('lozad-background'); Array.prototype.forEach.call(lozad_back, function(el) { // Do stuff here var el_back_img_path = el.getAttribute('data-background-image'); var first_pos = el_back_img_path.indexOf("'"); var last_pos = el_back_img_path.indexOf("'",first_pos+1); el_back_img_path = el_back_img_path.substring(first_pos+1,last_pos); el.setAttribute("data-background-image",main_site_url+el_back_img_path); }); } if(req_type == 'head_inline_css'){ addStyle(xmlhttp.responseText); } } } xmlhttp.open("GET", theUrl, true ); xmlhttp.send(); } if(referer == 'Prisma' || referer == 'Cortex' || referer == 'Sase' || referer == 'Unit' || referer == 'Ngfw'){ const article = document.querySelector('#PAN_2021_NAV_ASYNC'); if(referer == 'Prisma'){ article.dataset.type = 'prisma'; $('#PAN_2021_NAV_ASYNC').removeClass('default').addClass('defaultRedesigned'); } else if(referer == 'Cortex'){ article.dataset.type = 'cortex'; } else if(referer == 'Sase'){ article.dataset.type = 'sase'; } else if(referer == 'Unit'){ article.dataset.type = 'unit'; } else if(referer == 'Ngfw'){ article.dataset.type = 'ngfw'; } //set class to default if(referer == 'Unit' || referer == 'Ngfw'){ $('#PAN_2021_NAV_ASYNC').removeClass('default').addClass('defaultRedesigned'); } callMainSitePrismaNavHTML(); } </script>  <main class="main"> <section class="section section--article"> <div class="pa article-banner" style="background-image:url('https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/01_Ransomware_Category_1920x900.jpg')"> <div class="l-container"> <div class="l-breadcrumbs"> <ul> <li> <a href="https://unit42.paloaltonetworks.com" role="link" title="Threat Research" data-page-track="true" data-page-track-value="muddled-libra:hero:breadcrumb:Threat Research">Threat Research Center</a></li><li><a href="https://unit42.paloaltonetworks.com/category/threat-actor-groups/" role="link" title="Threat Actor Groups" data-page-track="true" data-page-track-value="muddled-libra:hero:breadcrumb:Threat Actor Groups">Threat Actor Groups</a></li><li class="is-current"><a href="https://unit42.paloaltonetworks.com/category/malware/" role="link" title="Malware" data-page-track="true" data-page-track-value="muddled-libra:hero:breadcrumb:Malware">Malware</a></li> </ul> </div> <div class="ab__title"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/malware/" role="link" data-page-track="true" data-page-track-value="muddled-libra:hero:Malware"><span class="ab-title__pre">Malware</span></a> <h1>Threat Group Assessment: Muddled Libra (Updated)</h1> <div class="ab__video"> <span class="duration"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-clock.svg" alt="Clock Icon"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 13</span> <span class="rt-label rt-postfix"></span></span> min read </span> </div> <div class="ab-lc__wrapper"> <span class="ab-title__pre">Related Products</span><div class="ab__link-cards"><a class="l-linkcard is-blue" href="https://unit42.paloaltonetworks.com/product-category/advanced-dns-security/" style="--card-color: #ffcb06" role="link" title="Advanced DNS Security" data-page-track="true" data-page-track-value="muddled-libra:hero:Advanced DNS Security"><img src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/strata_RGB_logo_Icon_Color.png" alt="Advanced DNS Security icon">Advanced DNS Security</a><a class="l-linkcard is-blue" href="https://unit42.paloaltonetworks.com/product-category/advanced-url-filtering/" style="--card-color: #ffcb06" role="link" title="Advanced URL Filtering" data-page-track="true" data-page-track-value="muddled-libra:hero:Advanced URL Filtering"><img src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/strata_RGB_logo_Icon_Color.png" alt="Advanced URL Filtering icon">Advanced URL Filtering</a><a class="l-linkcard is-blue" href="https://unit42.paloaltonetworks.com/product-category/app-id/" style="--card-color: #ffcb06" role="link" title="App-ID" data-page-track="true" data-page-track-value="muddled-libra:hero:App-ID"><img src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/strata_RGB_logo_Icon_Color.png" alt="App-ID icon">App-ID</a><a class="l-linkcard is-blue" href="https://unit42.paloaltonetworks.com/product-category/cloud-delivered-security-services/" style="--card-color: #ffcb06" role="link" title="Cloud-Delivered Security Services" data-page-track="true" data-page-track-value="muddled-libra:hero:Cloud-Delivered Security Services"><img src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/strata_RGB_logo_Icon_Color.png" alt="Cloud-Delivered Security Services icon">Cloud-Delivered Security Services</a><a class="l-linkcard is-blue" href="https://unit42.paloaltonetworks.com/product-category/cortex-xdr/" style="--card-color: #00cc66" role="link" title="Cortex XDR" data-page-track="true" data-page-track-value="muddled-libra:hero:Cortex XDR"><img src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/cortex_RGB_logo_Icon_Color.png" alt="Cortex XDR icon">Cortex XDR</a><a class="l-linkcard is-blue" href="https://unit42.paloaltonetworks.com/product-category/cortex-xsiam/" style="--card-color: #00cc66" role="link" title="Cortex XSIAM" data-page-track="true" data-page-track-value="muddled-libra:hero:Cortex XSIAM"><img src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/cortex_RGB_logo_Icon_Color.png" alt="Cortex XSIAM icon">Cortex XSIAM</a><a class="l-linkcard is-blue" href="https://unit42.paloaltonetworks.com/product-category/cortex-xsoar/" style="--card-color: #00cc66" role="link" title="Cortex XSOAR" data-page-track="true" data-page-track-value="muddled-libra:hero:Cortex XSOAR"><img src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/cortex_RGB_logo_Icon_Color.png" alt="Cortex XSOAR icon">Cortex XSOAR</a><a class="l-linkcard is-blue" href="https://unit42.paloaltonetworks.com/product-category/next-generation-firewall/" style="--card-color: #ffcb06" role="link" title="Next-Generation Firewall" data-page-track="true" data-page-track-value="muddled-libra:hero:Next-Generation Firewall"><img src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/strata_RGB_logo_Icon_Color.png" alt="Next-Generation Firewall icon">Next-Generation Firewall</a><a class="l-linkcard is-blue" href="https://unit42.paloaltonetworks.com/product-category/unit-42-incident-response/" style="--card-color: #c94727" role="link" title="Unit 42 Incident Response" data-page-track="true" data-page-track-value="muddled-libra:hero:Unit 42 Incident Response"><img src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/unit42_RGB_logo_Icon_Color.png" alt="Unit 42 Incident Response icon">Unit 42 Incident Response</a></div> </div> </div> </div> <div class="ab__footer"> <div class="l-container"> <div class="ab__footer-wrapper"> <ul class="ab__features" role="list"> <li role="listitem"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-profile-grey.svg" alt="Profile Icon"> <div class="ab__text"><span>By:</span><ul class="ab__tags"><li><a data-page-track="true" data-page-track-value="muddled-libra:hero:Kristopher Russo" href="https://unit42.paloaltonetworks.com/author/kristopher-russo/">Kristopher Russo</a></li><li><a data-page-track="true" data-page-track-value="muddled-libra:hero:Austin Dever" href="https://unit42.paloaltonetworks.com/author/austin-dever/">Austin Dever</a></li><li><a data-page-track="true" data-page-track-value="muddled-libra:hero:Amer Elsad" href="https://unit42.paloaltonetworks.com/author/amer-elsad/">Amer Elsad</a></li></ul></div></li> <li role="listitem"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-calendar-grey.svg" alt="Published Icon"> <div class="ab__text"><span>Published:</span>March 8, 2024</div></li> <li role="listitem"><img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-category.svg" alt="Tags Icon"><div class="ab__text"><span>Categories:</span><ul class="ab__tags"><li><a data-page-track="true" data-page-track-value="muddled-libra:hero:High Profile Threats" href="https://unit42.paloaltonetworks.com/category/top-cyberthreats/">High Profile Threats</a></li><li><a data-page-track="true" data-page-track-value="muddled-libra:hero:Malware" href="https://unit42.paloaltonetworks.com/category/malware/">Malware</a></li><li><a data-page-track="true" data-page-track-value="muddled-libra:hero:Threat Actor Groups" href="https://unit42.paloaltonetworks.com/category/threat-actor-groups/">Threat Actor Groups</a></li></ul></div> </li> <li role="listitem"><img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-tags-grey.svg" alt="Tags Icon"><div class="ab__text"><span>Tags:</span><ul class="ab__tags"><li><a data-page-track="true" data-page-track-value="muddled-libra:hero:0ktapus" href="https://unit42.paloaltonetworks.com/tag/0ktapus/">0ktapus</a></li><li><a data-page-track="true" data-page-track-value="muddled-libra:hero:ALPHV" href="https://unit42.paloaltonetworks.com/tag/alphv/">ALPHV</a></li><li><a data-page-track="true" data-page-track-value="muddled-libra:hero:app-ID" href="https://unit42.paloaltonetworks.com/tag/app-id/">App-ID</a></li><li><a data-page-track="true" data-page-track-value="muddled-libra:hero:BlackCat ransomware" href="https://unit42.paloaltonetworks.com/tag/blackcat-ransomware/">BlackCat ransomware</a></li><li><a data-page-track="true" data-page-track-value="muddled-libra:hero:MITRE" href="https://unit42.paloaltonetworks.com/tag/mitre/">MITRE</a></li><li><a data-page-track="true" data-page-track-value="muddled-libra:hero:Muddled Libra" href="https://unit42.paloaltonetworks.com/tag/muddled-libra/">Muddled Libra</a></li><li><a data-page-track="true" data-page-track-value="muddled-libra:hero:phishing" href="https://unit42.paloaltonetworks.com/tag/phishing/">Phishing</a></li><li><a data-page-track="true" data-page-track-value="muddled-libra:hero:Scatter Swine" href="https://unit42.paloaltonetworks.com/tag/scatter-swine/">Scatter Swine</a></li><li><a data-page-track="true" data-page-track-value="muddled-libra:hero:Scattered Spider" href="https://unit42.paloaltonetworks.com/tag/scattered-spider/">Scattered Spider</a></li><li><a data-page-track="true" data-page-track-value="muddled-libra:hero:social engineering" href="https://unit42.paloaltonetworks.com/tag/social-engineering/">Social engineering</a></li></ul></div> </li> </ul> <div class="ab__options"> <ul role="list"> <li role="listitem"><a href="https://unit42.paloaltonetworks.com/muddled-libra/?pdf=download&lg=en&_wpnonce=4cc552574e" role="link" target="_blank" title="Click here to download" data-page-track="true" data-page-track-value="muddled-libra:hero:pdfdownload"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-download.svg" alt="Download Icon"></a></li> <li role="listitem"><a href="https://unit42.paloaltonetworks.com/muddled-libra/?pdf=print&lg=en&_wpnonce=4cc552574e" target="_blank" role="link" title="Click here to print" data-page-track="true" data-page-track-value="muddled-libra:hero:pdfprint"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-print.svg" alt="Print Icon"></a></li> </ul> <div class="ab__share" id="shareDropdown" role="button" aria-expanded="false"> <a href="#" role="link" title="Click here to share" data-page-track="true" data-page-track-value="muddled-libra:share" class="">Share<img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/down-arrow.svg" alt="Down arrow"></a><ul class="share-dropdown" role="menu"> <li role="menuitem"> <a href="#" class="copy-url" id="copyUrl" data-url="https://unit42.paloaltonetworks.com/muddled-libra/" role="link" title="Copy link" data-page-track="true" data-page-track-value="muddled-libra:share:link"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-share-link.svg" alt="Link Icon"></a> </li> <li role="menuitem"> <a href="mailto:?subject=Threat%20Group%20Assessment:%20Muddled%20Libra%20(Updated)&body=Check%20out%20this%20article%20https%3A%2F%2Funit42.paloaltonetworks.com%2Fmuddled-libra%2F" role="link" title="Share in email" data-page-track="true" data-page-track-value="muddled-libra:share:email"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-sms.svg" alt="Link Email"></a> </li> <li role="menuitem"> <a href="https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Funit42.paloaltonetworks.com%2Fmuddled-libra%2F" target="_blank" role="link" title="Share in Facebook" data-page-track="true" data-page-track-value="muddled-libra:share:facebook"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-fb-share.svg" alt="Facebook Icon"></a> </li> <li role="menuitem"> <a href="https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Funit42.paloaltonetworks.com%2Fmuddled-libra%2F&title=Threat%20Group%20Assessment:%20Muddled%20Libra%20(Updated)" target="_blank" role="link" title="Share in LinkedIn" data-page-track="true" data-page-track-value="muddled-libra:share:linkedin"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-linkedin-share.svg" alt="LinkedIn Icon"></a> </li> <li role="menuitem"> <a href="https://twitter.com/intent/tweet?url=https%3A%2F%2Funit42.paloaltonetworks.com%2Fmuddled-libra%2F&text=Threat%20Group%20Assessment:%20Muddled%20Libra%20(Updated)" target="_blank" role="link" title="Share in Twitter" data-page-track="true" data-page-track-value="muddled-libra:share:twitter"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-twitter-share.svg" alt="Twitter Icon"></a> </li> <li role="menuitem"> <a href="//www.reddit.com/submit?url=https%3A%2F%2Funit42.paloaltonetworks.com%2Fmuddled-libra%2F" target="_blank" role="link" title="Share in Reddit" data-page-track="true" data-page-track-value="muddled-libra:share:reddit"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-reddit-share.svg" alt="Reddit Icon"></a> </li> <li role="menuitem"> <a href="https://mastodon.social/share?text=Threat%20Group%20Assessment:%20Muddled%20Libra%20(Updated)%20https%3A%2F%2Funit42.paloaltonetworks.com%2Fmuddled-libra%2F" target="_blank" role="link" title="Share in Mastodon" data-page-track="true" data-page-track-value="muddled-libra:share:mastodon"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-mastodon-share.svg" alt="Mastodon Icon"></a> </li> </ul> </div> </div> </div> </div> </div> </div> </section> <section class="section blog-contents"> <div class="pa blog-editor"> <div class="l-container"> <div class="be__wrapper"> <div class="be__contents"> <div class="be__contents-wrapper"> <p class="wpml-ls-statics-post_translations wpml-ls">This post is also available in: <span class="wpml-ls-slot-post_translations wpml-ls-item wpml-ls-item-ja wpml-ls-first-item wpml-ls-last-item wpml-ls-item-legacy-post-translations"><a href="https://unit42.paloaltonetworks.jp/muddled-libra/" class="wpml-ls-link"><span class="wpml-ls-native" lang="ja">日本語</span><span class="wpml-ls-display"><span class="wpml-ls-bracket"> (</span>Japanese<span class="wpml-ls-bracket">)</span></span></a></span></p><h2><a id="post-132966-_4lt92rr5muov"></a>Executive Summary</h2> <p>Muddled Libra stands at the intersection of devious social engineering and nimble technology adaptation. With an intimate knowledge of enterprise information technology, this threat group presents a significant risk even to organizations with well-developed legacy cyber defenses.</p> <p>Muddled Libra’s tactics can be fluid, adapting quickly to a target environment. They continue to use social engineering as their primary modus operandi, targeting a company's IT help support desk. For example, in under a few minutes, these threat actors successfully changed an account password and later reset the victim’s MFA to gain access to their networks.</p> <p>Muddled Libra was first noted for targeting organizations in the software automation, outsourcing and telecommunications verticals. Since then, they’ve expanded their targeting to include the technology, business process outsourcing, hospitality and more recently, financial industries. They show no signs of slowing.</p> <p>Unit 42 researchers and responders have investigated interrelated incidents from mid-2022 through the beginning of 2024, which we’ve attributed to the threat group Muddled Libra. Initial attacks were highly structured and favored large business process outsourcing firms serving high-value cryptocurrency holders. We believe that when the threat actors exhausted those targets, they evolved into a ransomware affiliate model with extortion as their key objective.</p> <p>In the cases we’ve been involved with, we observed Muddled Libra performing the following activities:</p> <ul> <li>Using NSOCKS and TrueSocks proxy services</li> <li>Creating email rules to forward emails from specific security vendors to the actors to monitor communications and those helping in the investigation</li> <li>Deploying a custom virtual machine into the environment</li> <li>Using an open-source rootkit, bedevil (<a href="https://github.com/Error996/bdvl" target="_blank" rel="noopener">bdvl</a>) to target VMware vCenter servers</li> <li>Gaining administrative permissions</li> <li>Heavy use of anonymizing proxy services</li> </ul> <p>We also believe that members of Muddled Libra speak English as a first language, which provides them greater ability to conduct their social engineering attacks with other English speakers. Muddled Libra has also been observed using AI to spoof victims’ voices. Social media videos can be used by attackers to train AI models. The targets we’ve observed seem to be primarily in the U.S.</p> <p>Thwarting Muddled Libra requires interweaving tight security controls, diligent awareness training and vigilant monitoring.</p> <p>Palo Alto Networks customers are better protected from the threats described in this article through a modern security architecture built around <a href="https://docs-cortex.paloaltonetworks.com/p/XSIAM" target="_blank" rel="noopener">Cortex XSIAM</a> in concert with <a href="https://docs-cortex.paloaltonetworks.com/p/XDR" target="_blank" rel="noopener">Cortex XDR</a>. The <a href="https://docs.paloaltonetworks.com/advanced-url-filtering/administration" target="_blank" rel="noopener">Advanced URL Filtering</a> and <a href="https://docs.paloaltonetworks.com/dns-security" target="_blank" rel="noopener">DNS Security</a> <a href="https://docs.paloaltonetworks.com/cdss" target="_blank" rel="noopener">Cloud-Delivered Security Services</a> can help protect against command and control (C2) infrastructure, while <a href="https://www.paloaltonetworks.com/technologies/app-id" target="_blank" rel="noopener">App-ID</a> can limit anonymization services allowed to connect to the network.</p> <table style="width: 100%;"> <thead> <tr> <td style="width: 35%;"><b>Related Unit 42 Topics</b></td> <td style="width: 100%;"><a href="https://unit42.paloaltonetworks.com/tag/muddled-libra/" target="_blank" rel="noopener"><b>Muddled Libra</b></a> (related to <strong><a href="https://unit42.paloaltonetworks.com/tag/scattered-spider/" target="_blank" rel="noopener">Scattered Spider</a></strong>, <a href="https://unit42.paloaltonetworks.com/tag/scatter-swine/" target="_blank" rel="noopener"><strong>Scatter Swine</strong></a>), <a href="https://unit42.paloaltonetworks.com/tag/0ktapus" target="_blank" rel="noopener"><strong>0ktapus</strong></a>, <strong><a href="https://unit42.paloaltonetworks.com/tag/social-engineering/" target="_blank" rel="noopener">Social Engineering</a></strong></td> </tr> </thead> </table> <h2>Threat<strong> Overview</strong></h2> <p>The attack style defining Muddled Libra appeared on the cybersecurity radar in late 2022 with the release of the 0ktapus phishing kit. This malware kit offered the following features:</p> <ul> <li>A prebuilt hosting framework</li> <li>Easy C2 connectivity</li> <li>Bundled attack templates</li> </ul> <p>These options allowed attackers to emulate mobile authentication pages cheaply and easily.</p> <p>With over 200 realistic fake authentication portals and some targeted <a href="https://www.paloaltonetworks.com/cyberpedia/what-is-smishing" target="_blank" rel="noopener">smishing</a>, attackers quickly gathered credentials and multifactor authentication (MFA) codes for over one hundred organizations.</p> <p>The speed and breadth of these attacks caught many defenders off-guard. While smishing is not a new tactic, the 0ktapus framework commoditized what would typically require complex infrastructure and advanced technical skills, in a way that granted even low-skilled attackers a high attack success rate.</p> <p>The sheer number of targets being hit with this kit created a fair amount of confusion regarding attribution in the research community. Previous reporting by <a href="https://www.group-ib.com/blog/0ktapus/" target="_blank" rel="noopener">Group-IB</a>, <a href="https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/" target="_blank" rel="noopener">CrowdStrike</a> and <a href="https://sec.okta.com/scatterswine" target="_blank" rel="noopener">Okta</a> has documented and mapped many of these attacks to the following intrusion groups: 0ktapus, Scattered Spider and Scatter Swine.</p> <p>While these have been frequently treated as several names for one group, what these names actually define are:</p> <ul> <li>An attack style using a common toolkit</li> <li>A social forum-based collaboration network</li> <li>An Agile-like team structure</li> </ul> <p>Muddled Libra is a distinct group of actors using this tradecraft. In a 2023 blog posted on ALPHV’s leak site, the attackers corroborated this view, claiming that previous researcher attribution models have been non-specific.</p> <p>During Unit 42 Incident Response investigations, we identified several cases we attribute to Muddled Libra. Muddled Libra has been responsible for a campaign of complex supply chain attacks, ultimately leading to high-value cryptocurrency targets.</p> <p>This group has only intensified their campaign. They are shifting tactics to adapt to improving cyber defenses, and they are targeting to broaden their attack scope.</p> <figure id="attachment_133068" aria-describedby="caption-attachment-133068" style="width: 600px" class="wp-caption aligncenter"><img class="wp-image-133068 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/03/Muddled-Libra-_-New-Tactics_Revised.png" alt="Image 1 is a six-part diagram of Muddled Libra’s evolved tactics. The old tactics are in red boxes and the new tactics in green boxes. " width="600" height="817" /><figcaption id="caption-attachment-133068" class="wp-caption-text">Figure 1. Muddled Libra evolved tactics.</figcaption></figure> <p>Unit 42 has observed an extensive toolkit used in these attacks. This arsenal ranges from hands-on social engineering and smishing attacks to proficiency with niche penetration testing, forensics tools and even legitimate systems management software. This breadth of tooling gives Muddled Libra an edge over even a robust and modern cyber defense plan.</p> <p>In incidents the Unit 42 team has investigated, Muddled Libra has been methodical in pursuing its goals and highly flexible with attack strategies. When an attack tactic is blocked, they have either rapidly pivoted to another vector or modified the target environment to enable their favored path.</p> <p>Muddled Libra has also repeatedly demonstrated a strong understanding of the modern incident response (IR) framework. This knowledge allows them to continue progressing toward their goals even as incident responders attempt to expel them from an environment. Once established, this threat group is difficult to eradicate. Unit 42 has observed them joining IR war rooms and creating rules within email security platforms to intercept and redirect incident response-related communication.</p> <p>Initially, Muddled Libra preferred targeting a victim’s downstream customers using stolen data and, if allowed, would return repeatedly to the well to refresh their stolen dataset. Using this stolen data, the threat actor could return to prior victims even after the initial incident response.</p> <p>Furthermore, Muddled Libra appeared to have clear goals for its breaches versus just capitalizing on opportunistic access. They rapidly sought and stole information on downstream client environments and then used it to pivot into those environments.</p> <p>In a notable departure from earlier tactics, in 2023, intelligence indicated that Muddled Libra joined the ALPHV/Blackcat ransomware-as-a-service affiliate program. They wasted no time implementing this new tool set with a radical departure from previous tradecraft in favor of new attacks focused on data theft, encryption and enormous extortion demands.</p> <p>The U.S. Justice Department interrupted ALPHV’s operations shortly after these attacks began. Since this action, new Muddled Libra attacks have shifted to data theft with a simple extortion objective. Muddled Libra has demonstrated a strong understanding of their victims’ “line of business” processes, and they strike at the heart of business operations.</p> <h2><a id="post-132966-_sopyfvqtz8w6"></a>Attack Chain</h2> <p>While each incident is unique, Unit 42 researchers have identified enough commonalities in tradecraft to attribute multiple incidents to Muddled Libra. Figure 1 shows the attack chain.</p> <figure id="attachment_132977" aria-describedby="caption-attachment-132977" style="width: 700px" class="wp-caption aligncenter"><img class="wp-image-132977 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/03/word-image-89993-132966-2.png" alt="Image 2 is the attack chain for Muddled Libra following the MITRE ATT&CK framework. Steps one to 11 go through reconnaissance, resource development, initial access, persistence, defense, ovation, credential, access, discovery, execution, lateral movement, collection, and finally exfiltration." width="700" height="953" /><figcaption id="caption-attachment-132977" class="wp-caption-text">Figure 2. Muddled Libra attack chain.</figcaption></figure> <p>We have mapped these to the MITRE ATT&CK<sup>®</sup> framework, summarized below.</p> <h3><a id="post-132966-_yhe4dy94e51n"></a><strong>Reconnaissance</strong></h3> <p>Muddled Libra has consistently demonstrated an intimate knowledge of targeted organizations, including employee lists, job roles and cellular phone numbers. In some instances, threat actors likely obtained this data during earlier breaches against upstream targets.</p> <p>Threat actors also frequently obtain information packs from illicit data brokers such as the <a href="https://therecord.media/genesis-market-russian-market-2easy-shop-cybercrime-fraud" target="_blank" rel="noopener">now-defunct Genesis and Russian Markets</a>. This data is <a href="https://therecord.media/redline-stealer-identified-as-primary-source-of-stolen-credentials-on-two-dark-web-markets" target="_blank" rel="noopener">typically harvested from </a>corporate and personal infected devices using malware such as Raccoon Stealer and <a href="https://unit42.paloaltonetworks.com/malware-configuration-extraction-techniques-guloader-redline-stealer/" target="_blank" rel="noopener">RedLine Stealer</a>.</p> <p>With the early advent of bring-your-own-device (BYOD) policies and the popularity of hybrid work solutions, corporate data and credentials are frequently used and cached on personal devices. Decentralizing the management and protection of IT assets creates a lucrative targeting opportunity for information-stealing malware.</p> <h3><a id="post-132966-_j2lvnybvfj66"></a><strong>Resource Development</strong></h3> <p>Lookalike domains used in smishing attacks are a consistent hallmark for Muddled Libra. This tactic is effective since mobile devices frequently truncate links in SMS messages. Malicious domain names frequently use the format of the organization name with a hyphen, followed by a service (like SSO, helpdesk or HR).</p> <p>Early clusters of attacks attributed to the 0ktapus campaign consistently used domains registered via Porkbun or Namecheap and hosted on Digital Ocean infrastructure. These domains are short-lived, used only during the initial access phase, and they are quickly taken down before defenders can investigate. Recently, we’ve observed Muddled Libra adding Metaregistrar and Hosting Concepts to their preferred registrar list, and their hosting has moved behind a large content delivery network (CDN) service.</p> <p>In many investigations, Unit 42 observed the use of the 0ktapus phishing kit for credential harvesting. Group-IB has done a great deep dive analysis of this versatile kit, which is widely available in the criminal underground. It requires little skill to stand up and configure, making it an ideal tool for highly targeted smishing attacks. Since its introduction, other threat groups have adopted this kit, and it continues to evolve.</p> <h3><a id="post-132966-_j32ii9najhai"></a><strong>Initial Access</strong></h3> <p>In all incidents where Unit 42 could determine an initial access vector, smishing and helpdesk social engineering were involved. In most early incidents, the threat actor sent a lure message directly to the targeted employees’ cellphones, claiming they needed to update account information or reauthenticate to a corporate application. Messages contained a link to a spoofed corporate domain designed to emulate a familiar login page.</p> <p>Likely due to organizations’ large-scale phase-out of SMS as a secondary authentication factor, Muddled Libra has begun to move away from smishing as an initial entry vector. New cases indicate that this group pervasively uses direct social engineering.</p> <p>Helpdesk and customer service agents are particularly high-value targets. Unit 42 has observed Muddled Libra using a combination of open-source intelligence and previously compromised sensitive data to get help desk agents to reset both passwords and MFA on the same call.</p> <p>These attacks are convincing and persistent. They focus on wearing the agent’s defenses down, running up the call length and ultimately bypassing security restrictions that could have prevented these attacks.</p> <h3><a id="post-132966-_xhr12wwd52oo"></a><strong>Persistence</strong></h3> <p>Muddled Libra was particularly focused on maintaining access to targeted environments. While threat actors commonly use a free or demo version of a remote monitoring and management (RMM) tool during intrusions, Muddled Libra often installed half a dozen or more of these utilities. They did this to ensure they would maintain a backdoor into the environment even if one were discovered.</p> <p>Using commercial RMM tools is particularly problematic as these tools are legitimate, business-critical applications that Muddled Libra abuses. None of these tools are inherently malicious and they are frequently used in the day-to-day administration of many enterprise networks. Defenders should weigh the risks of an outright block versus carefully monitoring their use.</p> <p>Observed tools included Zoho Assist, AnyDesk, Splashtop, TeamViewer, ITarian, FleetDeck, ASG Remote Desktop, RustDesk and ManageEngine RMM. Unit 42 recommends organizations block by signer any RMM tools that they have not sanctioned for use within the enterprise.</p> <p>Muddled Libra has also demonstrated familiarity with cloud platforms, both hosted and software as a service (SaaS). They will use these platforms to establish a foothold within the organization, as these resources are unlikely to be monitored like traditional assets and systems. <span style="font-weight: 400;">Unit 42 has a </span><a href="https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/"><span style="font-weight: 400;">separate article</span></a><span style="font-weight: 400;"> with much more detail on cloud targeting.</span></p> <p>Notably, recent attacks indicate that long-term persistence is no longer this group’s primary objective. Instead, they’ve moved to a more traditional “encrypt and extort” model. Targeting has broadened to include large organizations more likely to have the capability to pay large ransoms. Once this group learns and understands the infrastructure and software used in an industry, they tend to target other organizations in the same vertical.</p> <h3><a id="post-132966-_2jq72v1uv2fj"></a><strong>Defense Evasion</strong></h3> <p>Demonstrating proficiency with many security controls, Muddled Libra evaded common defenses.</p> <p>Their tactics have included the following:</p> <ul> <li>Disabling antivirus and host-based firewalls</li> <li>Attempting to delete firewall profiles</li> <li>Creating defender exclusions</li> <li>Deactivating or uninstalling EDR and other monitoring products</li> <li>Standing up unmanaged cloud virtual machines</li> <li>Elevating access in virtual desktop environments</li> </ul> <p>Attackers also re-enabled and used existing Active Directory accounts to avoid triggering common security information and event management (SIEM) monitoring rules. We also observed them operating within endpoint detection and response (EDR) administrative consoles to clear alerts. <span style="font-weight: 400;">We cover this attack in detail in </span><a href="https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/" target="_blank" rel="noopener"><span style="font-weight: 400;">our article</span></a><span style="font-weight: 400;">. </span></p> <p>Muddled Libra has been careful with operational security, consistently using commercial virtual private network (VPN) services to obscure their geographic location and attempt to blend in with legitimate traffic. The group preferred Mullvad VPNin early incidents Unit 42 researchers investigated, but we also observed multiple other vendors, such as ExpressVPN, NordVPN, Ultrasurf, Easy VPN and ZenMate.</p> <p>Unit 42 researchers have more recently observed the usage of rotating residential proxy services as well. As reported by <a href="https://krebsonsecurity.com/2021/03/is-your-browser-extension-a-botnet-backdoor/" target="_blank" rel="noopener">Brian Krebs in 2021</a>, residential proxy services typically hide their code inside browser extensions, allowing operators to lease out residential connections for legitimate and malicious use alike.</p> <p>Defenders should look for multiple users authenticating from new residential IPs over short periods.</p> <h3><a id="post-132966-_f0n3ehg2l6y7"></a><strong>Credential Access</strong></h3> <p>Once attackers captured the credentials they would use for initial access, the attacker took one of two paths. In one case, they continued with the authentication process from a machine they controlled and immediately requested a MFA code. In the other cases, they generated an endless string of MFA prompts until the user accepted one out of fatigue or frustration (aka MFA bombing).</p> <p>In cases where MFA bombing was unsuccessful, the threat actor contacted the organization’s help desk, claiming to be the victim. They would then state that their phone was inoperable or misplaced and would request to enroll a new, attacker-controlled MFA authentication device.</p> <p>Muddled Libra’s social engineering success is notable. Across many cases, the group demonstrated unusually high comfort in engaging the help desk and other employees over the phone, convincing them to engage in unsafe actions.</p> <p>If targeted accounts do not have the desired access, Muddled Libra will use the account for discovery and repeat the process until they have the access necessary for their attack.</p> <p>After establishing a foothold, Muddled Libra moves quickly to elevate access. Standard credential-stealing tools employed in this phase included Mimikatz, ProcDump, DCSync, Raccoon Stealer and LAPS Toolkit. When the group could not quickly locate elevated credentials, they turned to Impacket, MIT Kerberos Ticket Manager and NTLM Encoder/Decoder.</p> <p>In some incidents, Muddled Libra employed specialized tools to search memory contents for credentials directly using MAGNET RAM Capture and Volatility. As these are legitimate forensics tools that Muddled Libra is abusing, defenders should carefully consider the downsides to blocking them, including the possibility of security team activity generating false positive alerts.</p> <p>This tactic raises an important flag for defenders. Even though user accounts might be protected through privileged access management, endpoints often have elevated credentials cached for system management or to run services. Care should be taken to ensure that privileged credentials only have the permissions necessary to perform their intended functions and are closely monitored for deviations from normal behavior.</p> <h3><a id="post-132966-_xh9mdsxczi3v"></a><strong>Discovery</strong></h3> <p>Muddled Libra’s discovery methods were consistent from case to case. In our investigations, the group used well-known, legitimate penetration testing tools to map the environment and identify targets of interest. Their toolkit included SharpHound, ADRecon, AD Explorer, Angry IP Scanner, Angry Port Scanner and CIMplant.</p> <p>Muddled Libra also proved proficient with commercial systems administration tools such as ManageEngine, LANDESK and PDQ Inventory for discovery and automation. They also used VMware PowerCLI and RVTools in virtual environments.</p> <p>Defenders should be vigilant in identifying unsanctioned network scanning and unusual rapid access to multiple systems or access that crosses logical business segments.</p> <h3><a id="post-132966-_hn1kcntjpo1f"></a><strong>Execution</strong></h3> <p>In early incidents, Muddled Libra appeared primarily interested in data and credential theft, and we infrequently saw remote execution. However, more recent cases included a BlackCat ransomware component. When needed, the group accomplishes execution with Sysinternals PsExec or Impacket. We also observed Muddled Libra using the victim’s system management tools to execute malicious code. They used captured credentials or authentication hashes for privilege elevation.</p> <h3><a id="post-132966-_r2joycx31lto"></a><strong>Lateral Movement</strong></h3> <p>Muddled Libra preferred using remote desktop protocol (RDP) connections from compromised computers for lateral movement inside the target environment. This approach helps to minimize discoverable external network artifacts in logs that could alert defenders and help investigators with attribution.</p> <h3><a id="post-132966-_wwcw26nw1lqf"></a><strong>Collection</strong></h3> <p>Muddled Libra is familiar with typical enterprise data management. They’ve successfully located sensitive organizational data in a wide range of common data repositories, both structured and unstructured, including the following:</p> <ul> <li>Confluence</li> <li>Code Management Platforms</li> <li>Elastic</li> <li>Microsoft Office 365 suite (e.g., SharePoint, Outlook)</li> <li>Internal messaging platforms</li> </ul> <p>They also targeted data in the victim’s environment from typical service desk applications like Zendesk and Jira. Mined data included credentials for further compromise and they directly targeted sensitive and confidential information.</p> <p>Unit 42 researchers observed Muddled Libra using the open-source data mining tool Snaffler and native tools to search registries, local drives and network shares for keywords like <span style="font-family: 'courier new', courier, monospace;">*password*</span>, and <span style="font-family: 'courier new', courier, monospace;">securestring</span>. Threat actors then staged compromised data and archived it for exfiltration using WinRAR or PeaZip. They used stolen sensitive data as leverage in extortion demands.</p> <p>Defenders should regularly perform keyword searches in their environments to identify improperly stored data and credentials as part of a broader data management and classification strategy.</p> <h3><a id="post-132966-_rfqbe8ejs15o"></a><strong>Exfiltration</strong></h3> <p>In several cases, Muddled Libra attempted to establish reverse proxy shells or secure shell (SSH) tunnels for command and control exfiltration. We observed them using tunneling software such as RSocx. Muddled Libra also used common file transfer sites such as <span style="font-family: 'courier new', courier, monospace;">put[.]io</span>, <span style="font-family: 'courier new', courier, monospace;">transfer[.]sh</span>, <span style="font-family: 'courier new', courier, monospace;">wasabi[.]com</span>, or <span style="font-family: 'courier new', courier, monospace;">gofile[.]io</span> to both exfiltrate data and pull down attack tools. We also observed the use of Cyberduck as a file transfer agent.</p> <p>Threat actors often abuse, take advantage of or subvert legitimate products such as Cyberduck for malicious purposes. This does not necessarily imply a flaw or malicious quality to the legitimate product being abused.</p> <h3><a id="post-132966-_4sa4te9sis3q"></a><strong>Impact</strong></h3> <p>The early impact directly observed by Unit 42 was some combination of the theft of sensitive data and Muddled Libra leveraging trusted organizational infrastructure for follow-on attacks on downstream customers.</p> <p>Later attacks were much more destructive, and they included the following activities:</p> <ul> <li>Disruption of operations</li> <li>Damage to sensitive systems</li> <li>Encryption of critical data</li> <li>Enormous extortion demands</li> </ul> <h2><a id="post-132966-_ubo14c5bp9se"></a>Conclusion and Mitigations</h2> <p>Muddled Libra is a methodical adversary that substantially threatens enterprise organizations across many industries. They are proficient in a range of security disciplines, able to thrive in relatively secure environments and execute rapidly to complete devastating attack chains.</p> <p>Muddled Libra doesn’t bring anything new to the table except for the uncanny knack of stringing together weaknesses to disastrous effect. Defenders must combine cutting-edge technology, comprehensive security hygiene and external threats and internal events monitoring. The high-stakes risk of operational disruption and loss of sensitive data is a strong incentive for modernizing information security programs.</p> <p>In addition to the mitigation recommendations included in the Attack Chain subsections above, we recommend organizations:</p> <ul> <li>Implement MFA and single sign-on (SSO) wherever possible – preferably Fast Identity Online (FIDO). In the cases we investigated, Muddled Libra was most successful when they convinced employees to help them bypass MFA. When they could not quickly establish a foothold, they appeared to move on to other targets.</li> <li>Defenders should consider implementing security alerting and account lockout on repeated MFA failures.</li> <li>Implement comprehensive user awareness training. Muddled Libra is heavily focused on social engineering help desk and other employees via phone and SMS. Employee training on identifying suspicious non-email-based outreach is critical.</li> <li>In case of a breach, assume this threat actor knows the modern IR playbook. Consider setting up out-of-band response mechanisms.</li> <li>Ensure credential hygiene is up to date. Only grant access when and for as long as necessary.</li> <li>Monitoring and managing access to critical defenses and controls is essential to defending against skilled attackers. Rights should be restricted to only what is necessary for each job function. Identity threat detection and response (ITDR) tools such as <a href="https://docs-cortex.paloaltonetworks.com/p/XDR" target="_blank" rel="noopener">Cortex XDR</a> and <a href="https://docs-cortex.paloaltonetworks.com/p/XSIAM" target="_blank" rel="noopener">Cortex XSIAM</a> should be used to monitor for abnormal behavior.</li> <li>Defenders should limit anonymization services allowed to connect to the network, ideally at the firewall by <a href="https://www.paloaltonetworks.com/technologies/app-id" target="_blank" rel="noopener">App-ID</a>.</li> </ul> <p>To defend against the threats described in this blog, Palo Alto Networks further recommends that organizations employ the following capabilities:</p> <ul> <li>Network security: delivered through a Next-Generation Firewall (NGFW) configured with machine learning enabled and best-in-class, cloud-delivered security services. This includes, for example, threat prevention, URL filtering, DNS security and a malware prevention engine capable of identifying and blocking malicious samples and infrastructure.</li> <li>Endpoint security: delivered through an XDR solution that can identify malicious code through advanced machine learning and behavioral analytics. This solution should be configured to act on and block threats in real-time as they are identified.</li> <li>Security automation: delivered through an XSOAR or XSIAM solution capable of providing SOC analysts with a comprehensive understanding of the threat derived by stitching together data from endpoints, network, cloud and identity systems.</li> </ul> <p>If you think you might have been compromised or have an urgent matter, get in touch with the <a href="https://start.paloaltonetworks.com/contact-unit42.html" target="_blank" rel="noopener">Unit 42 Incident Response team</a> or call:</p> <ul> <li>North America Toll-Free: 866.486.4842 (866.4.UNIT42)</li> <li>EMEA: +31.20.299.3130</li> <li>APAC: +65.6983.8730</li> <li>Japan: +81.50.1790.0200</li> </ul> <h2><a id="post-132966-_am2k8qo41uhi"></a>Indicators of Compromise</h2> <p>IPs observed during this activity:</p> <ul> <li><span style="font-family: 'courier new', courier, monospace;">104.247.82[.]11</span></li> <li><span style="font-family: 'courier new', courier, monospace;">105.101.56[.]49</span></li> <li><span style="font-family: 'courier new', courier, monospace;">105.158.12[.]236</span></li> <li><span style="font-family: 'courier new', courier, monospace;">134.209.48[.]68</span></li> <li><span style="font-family: 'courier new', courier, monospace;">137.220.61[.]53</span></li> <li><span style="font-family: 'courier new', courier, monospace;">138.68.27[.]0</span></li> <li><span style="font-family: 'courier new', courier, monospace;">146.190.44[.]66</span></li> <li><span style="font-family: 'courier new', courier, monospace;">149.28.125[.]96</span></li> <li><span style="font-family: 'courier new', courier, monospace;">157.245.4[.]113</span></li> <li><span style="font-family: 'courier new', courier, monospace;">159.223.208[.]47</span></li> <li><span style="font-family: 'courier new', courier, monospace;">159.223.238[.]0</span></li> <li><span style="font-family: 'courier new', courier, monospace;">162.19.135[.]215</span></li> <li><span style="font-family: 'courier new', courier, monospace;">164.92.234[.]104</span></li> <li><span style="font-family: 'courier new', courier, monospace;">165.22.201[.]77</span></li> <li><span style="font-family: 'courier new', courier, monospace;">167.99.221[.]10</span></li> <li><span style="font-family: 'courier new', courier, monospace;">172.96.11[.]245</span></li> <li><span style="font-family: 'courier new', courier, monospace;">185.56.80[.]28</span></li> <li><span style="font-family: 'courier new', courier, monospace;">188.166.92[.]55</span></li> <li><span style="font-family: 'courier new', courier, monospace;">193.149.129[.]177</span></li> <li><span style="font-family: 'courier new', courier, monospace;">207.148.0[.]54</span></li> <li><span style="font-family: 'courier new', courier, monospace;">213.226.123[.]104</span></li> <li><span style="font-family: 'courier new', courier, monospace;">35.175.153[.]217</span></li> <li><span style="font-family: 'courier new', courier, monospace;">45.156.85[.]140</span></li> <li><span style="font-family: 'courier new', courier, monospace;">45.32.221[.]250</span></li> <li><span style="font-family: 'courier new', courier, monospace;">64.227.30[.]114</span></li> <li><span style="font-family: 'courier new', courier, monospace;">79.137.196[.]160</span></li> <li><span style="font-family: 'courier new', courier, monospace;">92.99.114[.]231</span></li> </ul> <h2><a id="post-132966-_dnvnrt25vj6k"></a>Additional Resources</h2> <ul> <li><a href="https://playlist.megaphone.fm/?e=CYBW2420634274&start=855&utm_content=261841717&utm_medium=social&utm_source=linkedinpanw_channel=lcp-10454826?utm_source=linkedin-unit42-global&utm_medium=social" target="_blank" rel="noopener">Muddled Libra Discussion With Unit 42 Senior Consultant Stephanie Regan</a> – Threat Vector Podcast, Unit 42 on CyberWire Daily</li> <li><a href="https://www.youtube.com/watch?v=Znq1fgMSFJs&list=PLaKGTLgARHpO1zjPmTlWuYsYEKR0SKUPa&index=30" target="_blank" rel="wpdevart_lightbox_video noopener" >Exposing Muddled Libra's Meticulous Tactics With Unit 42 Senior Researcher Kristopher Russo</a> – Threat Vector Podcast, Unit 42 on CyberWire Daily</li> <li><a href="https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/" target="_blank" rel="noopener">Muddled Libra's Evolution to the Cloud</a> – Unit 42, Palo Alto Networks</li> <li><a href="https://www.group-ib.com/blog/0ktapus/" target="_blank" rel="noopener">Roasting 0ktapus: The phishing campaign going after Okta identity credentials</a> – Group-IB</li> <li><a href="https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/" target="_blank" rel="noopener">Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies</a> – CrowdStrike</li> <li><a href="https://sec.okta.com/scatterswine" target="_blank" rel="noopener">Detecting Scatter Swine: Insights into a Relentless Phishing Campaign</a> – Okta</li> <li><a href="https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware" target="_blank" rel="noopener">I Solemnly Swear My Driver Is Up to No Good: Hunting for Attestation Signed Malware</a> – Mandiant</li> <li><a href="https://krebsonsecurity.com/2021/03/is-your-browser-extension-a-botnet-backdoor/" target="_blank" rel="noopener">Is Your Browser Extension a Botnet Backdoor?</a> – Krebs on Security</li> <li><a href="https://therecord.media/genesis-market-russian-market-2easy-shop-cybercrime-fraud" target="_blank" rel="noopener">Suspicion stalks Genesis Market’s competitors following FBI takedown</a> – The Record, Recorded Future News</li> </ul> <p class="p1"><i>Updated March 19, 2024, at 6:52 a.m. PT to correct Figure 1. </i></p> </div>  <button class="l-btn back-to-top" id="backToTop" data-page-track="true" data-page-track-value="muddled-libra:back to top">Back to top</button> <div class="be__tags-wrapper"> <h3>Tags</h3><ul role="list"><li role="listitem"><a href="https://unit42.paloaltonetworks.com/tag/0ktapus/" role="link" title="0ktapus" data-page-track="true" data-page-track-value="muddled-libra:tags:0ktapus">0ktapus</a></li><li role="listitem"><a href="https://unit42.paloaltonetworks.com/tag/alphv/" role="link" title="ALPHV" data-page-track="true" data-page-track-value="muddled-libra:tags:ALPHV">ALPHV</a></li><li role="listitem"><a href="https://unit42.paloaltonetworks.com/tag/app-id/" role="link" title="app-ID" data-page-track="true" data-page-track-value="muddled-libra:tags:app-ID">App-ID</a></li><li role="listitem"><a href="https://unit42.paloaltonetworks.com/tag/blackcat-ransomware/" role="link" title="BlackCat ransomware" data-page-track="true" data-page-track-value="muddled-libra:tags:BlackCat ransomware">BlackCat ransomware</a></li><li role="listitem"><a href="https://unit42.paloaltonetworks.com/tag/mitre/" role="link" title="MITRE" data-page-track="true" data-page-track-value="muddled-libra:tags:MITRE">MITRE</a></li><li role="listitem"><a href="https://unit42.paloaltonetworks.com/tag/muddled-libra/" role="link" title="Muddled Libra" data-page-track="true" data-page-track-value="muddled-libra:tags:Muddled Libra">Muddled Libra</a></li><li role="listitem"><a href="https://unit42.paloaltonetworks.com/tag/phishing/" role="link" title="phishing" data-page-track="true" data-page-track-value="muddled-libra:tags:phishing">Phishing</a></li><li role="listitem"><a href="https://unit42.paloaltonetworks.com/tag/scatter-swine/" role="link" title="Scatter Swine" data-page-track="true" data-page-track-value="muddled-libra:tags:Scatter Swine">Scatter Swine</a></li><li role="listitem"><a href="https://unit42.paloaltonetworks.com/tag/scattered-spider/" role="link" title="Scattered Spider" data-page-track="true" data-page-track-value="muddled-libra:tags:Scattered Spider">Scattered Spider</a></li><li role="listitem"><a href="https://unit42.paloaltonetworks.com/tag/social-engineering/" role="link" title="social engineering" data-page-track="true" data-page-track-value="muddled-libra:tags:social engineering">Social engineering</a></li></ul> </div> <div class="be__post-nav"> <a class="prev" href="https://unit42.paloaltonetworks.com" role="link" title="Threat Research" data-page-track="true" data-page-track-value="muddled-libra:article-nav:Threat Research Center"> <span>Threat Research Center</span> </a> <a class="next" href="https://unit42.paloaltonetworks.com/using-wireshark-exporting-objects-from-a-pcap/" role="link" title="Wireshark Tutorial: Exporting Objects From a Pcap" data-page-track="true" data-page-track-value="muddled-libra:article-nav:Wireshark Tutorial: Exporting Objects From a Pcap"> <span>Next: Wireshark Tutorial: Exporting Objects From a Pcap</span> </a> </div> </div> <div class="be__nav"> <div class="be__nav-wrapper"> <div class="be-table-of-contents" data-toc-track="muddled-libra:sidebar:table-of-contents"> <div class="be-title__wrapper"> <h3>Table of Contents</h3> </div> <ul> <li></li> </ul> </div> <div class="be-related-articles"> <h3>Related Articles</h3> <ul> <li> <a href="https://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-job-seekers-as-fake-recruiters/" role="link" title="article - table of contents" data-page-track="true" data-page-track-value="muddled-libra:sidebar:related-articles:Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware"> Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware </a> </li> <li> <a href="https://unit42.paloaltonetworks.com/kimsuky-new-keylogger-backdoor-variant/" role="link" title="article - table of contents" data-page-track="true" data-page-track-value="muddled-libra:sidebar:related-articles:Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy"> Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy </a> </li> <li> <a href="https://unit42.paloaltonetworks.com/phishing-platform-sniper-dz-unique-tactics/" role="link" title="article - table of contents" data-page-track="true" data-page-track-value="muddled-libra:sidebar:related-articles:Investigating Infrastructure and Tactics of Phishing-as-a-Service Platform Sniper Dz"> Investigating Infrastructure and Tactics of Phishing-as-a-Service Platform Sniper Dz </a> </li> </ul> </div> </div> </div> </div> </div> <div class="pa related-threat"> <div class="l-container"> <h2>Related Malware Resources</h2> <div class="blog-slider" id="blogSlider"> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/12_Security-Technology_Category_1920x900-786x368.jpg" class="lozad" alt="Close-up of a person wearing glasses, reflecting computer code on the lens." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/12_Security-Technology_Category_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/12_Security-Technology_Category_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/12_Security-Technology_Category_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/12_Security-Technology_Category_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/12_Security-Technology_Category_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="muddled-libra:related-resources:Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2024-11-22T11:00:26+00:00">November 22, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/unique-popular-techniques-lateral-movement-macos/" data-page-track="true" data-page-track-value="muddled-libra:related-resources:Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples"> <h4 class="post-title">Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/remote-code-execution/" title="Remote Code Execution" role="link" data-page-track="true" data-page-track-value="muddled-libra:related-resources:Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples:Remote Code Execution">Remote Code Execution</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/python/" title="Python" role="link" data-page-track="true" data-page-track-value="muddled-libra:related-resources:Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples:Python">Python</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/macos/" title="macOS" role="link" data-page-track="true" data-page-track-value="muddled-libra:related-resources:Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples:macOS">MacOS</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/unique-popular-techniques-lateral-movement-macos/" title="Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples" role="link" data-page-track="true" data-page-track-value="muddled-libra:related-resources:Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/02_Malware_Category_1920x900-786x368.jpg" class="lozad" alt="Pictorial representation of FrostyGoop malware. Close-up view of a digital screen displaying a pixelated, abstract image, possibly representing a face." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/02_Malware_Category_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/02_Malware_Category_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/02_Malware_Category_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/02_Malware_Category_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/02_Malware_Category_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="muddled-libra:related-resources:FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2024-11-19T11:00:15+00:00">November 19, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/frostygoop-malware-analysis/" data-page-track="true" data-page-track-value="muddled-libra:related-resources:FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications"> <h4 class="post-title">FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/bustleberm/" title="BUSTLEBERM" role="link" data-page-track="true" data-page-track-value="muddled-libra:related-resources:FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications:BUSTLEBERM">BUSTLEBERM</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/frostygoop/" title="FrostyGoop" role="link" data-page-track="true" data-page-track-value="muddled-libra:related-resources:FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications:FrostyGoop">FrostyGoop</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/go/" title="Go" role="link" data-page-track="true" data-page-track-value="muddled-libra:related-resources:FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications:Go">Go</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/frostygoop-malware-analysis/" title="FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications" role="link" data-page-track="true" data-page-track-value="muddled-libra:related-resources:FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/05_Malware_Category_1920x900-786x368.jpg" class="lozad" alt="Pictorial representation of a threat like the Bring Your Own Vulnerable Driver (BYOVD) technique. Image of computer code on a screen with a prominent biohazard symbol." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/05_Malware_Category_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/05_Malware_Category_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/05_Malware_Category_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/05_Malware_Category_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/05_Malware_Category_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="muddled-libra:related-resources:TA Phone Home: EDR Evasion Testing Reveals Extortion Actor's Toolkit:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2024-11-01T22:00:12+00:00">November 1, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/edr-bypass-extortion-attempt-thwarted/" data-page-track="true" data-page-track-value="muddled-libra:related-resources:TA Phone Home: EDR Evasion Testing Reveals Extortion Actor's Toolkit"> <h4 class="post-title">TA Phone Home: EDR Evasion Testing Reveals Extortion Actor's Toolkit</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/extortion/" title="Extortion" role="link" data-page-track="true" data-page-track-value="muddled-libra:related-resources:TA Phone Home: EDR Evasion Testing Reveals Extortion Actor's Toolkit:Extortion">Extortion</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/data-exfiltration/" title="data exfiltration" role="link" data-page-track="true" data-page-track-value="muddled-libra:related-resources:TA Phone Home: EDR Evasion Testing Reveals Extortion Actor's Toolkit:data exfiltration">Data exfiltration</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/edr-bypass-extortion-attempt-thwarted/" title="TA Phone Home: EDR Evasion Testing Reveals Extortion Actor's Toolkit" role="link" data-page-track="true" data-page-track-value="muddled-libra:related-resources:TA Phone Home: EDR Evasion Testing Reveals Extortion Actor's Toolkit:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/10/03_Nation-State-cyberattacks_1920x900-786x368.jpg" class="lozad" alt="Pictorial representation of a campaign like Contagious Interview. Digital graphic of a glowing globe with network connections and data streams, symbolizing global connectivity and technology advancements." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/10/03_Nation-State-cyberattacks_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/10/03_Nation-State-cyberattacks_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/10/03_Nation-State-cyberattacks_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/10/03_Nation-State-cyberattacks_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/10/03_Nation-State-cyberattacks_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="muddled-libra:related-resources:Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2024-10-09T10:00:54+00:00">October 9, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-job-seekers-as-fake-recruiters/" data-page-track="true" data-page-track-value="muddled-libra:related-resources:Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware"> <h4 class="post-title">Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/north-korea/" title="North Korea" role="link" data-page-track="true" data-page-track-value="muddled-libra:related-resources:Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware:North Korea">North Korea</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/social-engineering/" title="social engineering" role="link" data-page-track="true" data-page-track-value="muddled-libra:related-resources:Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware:social engineering">Social engineering</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/python/" title="Python" role="link" data-page-track="true" data-page-track-value="muddled-libra:related-resources:Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware:Python">Python</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-job-seekers-as-fake-recruiters/" title="Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware" role="link" data-page-track="true" data-page-track-value="muddled-libra:related-resources:Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" data-card-link="https://unit42.paloaltonetworks.com/machine-learning-new-swiss-army-suite-tool/" data-video-cta-tracking="muddled-libra:related-resources:Detecting Vulnerability Scanning Traffic From Underground Tools Using Machine Learning:card:video-modal:Read the article" data-video-title="Detecting Vulnerability Scanning Traffic From Underground Tools Using Machine Learning"> <div class="card-media has-video" data-video="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/01_Tutorial_Category_1505x922.jpg"> <figure> <img width="718" height="440" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/01_Tutorial_Category_1505x922-718x440.jpg" class="lozad" alt="A pictorial representation of machine learning detecting vulnerability scanning. A Black man using a tablet with a background of illuminated city buildings at night." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/01_Tutorial_Category_1505x922-718x440.jpg 718w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/01_Tutorial_Category_1505x922-1143x700.jpg 1143w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/01_Tutorial_Category_1505x922-768x470.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/01_Tutorial_Category_1505x922.jpg 1505w" sizes="(max-width: 718px) 100vw, 718px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="muddled-libra:related-resources:Detecting Vulnerability Scanning Traffic From Underground Tools Using Machine Learning:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2024-10-01T10:00:05+00:00">October 1, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/machine-learning-new-swiss-army-suite-tool/" data-page-track="true" data-page-track-value="muddled-libra:related-resources:Detecting Vulnerability Scanning Traffic From Underground Tools Using Machine Learning"> <h4 class="post-title">Detecting Vulnerability Scanning Traffic From Underground Tools Using Machine Learning</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/machine-learning/" title="Machine Learning" role="link" data-page-track="true" data-page-track-value="muddled-libra:related-resources:Detecting Vulnerability Scanning Traffic From Underground Tools Using Machine Learning:Machine Learning">Machine Learning</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/machine-learning-new-swiss-army-suite-tool/" title="Detecting Vulnerability Scanning Traffic From Underground Tools Using Machine Learning" role="link" data-page-track="true" data-page-track-value="muddled-libra:related-resources:Detecting Vulnerability Scanning Traffic From Underground Tools Using Machine Learning:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/06_Malware_Category_1920x900-786x368.jpg" class="lozad" alt="Pictorial representation of keylogger malware like KLogEXE and FPSpy. Person working on a laptop with lines of code displayed on the screen, with a blurred effect indicating motion or activity, surrounded by a vivid blue and red lighting." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/06_Malware_Category_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/06_Malware_Category_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/06_Malware_Category_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/06_Malware_Category_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/06_Malware_Category_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-actor-groups/" role="link" data-page-track="true" data-page-track-value="muddled-libra:related-resources:Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy:Threat Actor Groups"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/07/threat-actor-groups.svg" alt=" category icon">Threat Actor Groups</span></a> <span class="post-pub-date"><time datetime="2024-09-26T10:00:51+00:00">September 26, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/kimsuky-new-keylogger-backdoor-variant/" data-page-track="true" data-page-track-value="muddled-libra:related-resources:Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy"> <h4 class="post-title">Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/mitre/" title="MITRE" role="link" data-page-track="true" data-page-track-value="muddled-libra:related-resources:Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy:MITRE">MITRE</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/keylogger/" title="Keylogger" role="link" data-page-track="true" data-page-track-value="muddled-libra:related-resources:Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy:Keylogger">Keylogger</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/north-korea/" title="North Korea" role="link" data-page-track="true" data-page-track-value="muddled-libra:related-resources:Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy:North Korea">North Korea</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/kimsuky-new-keylogger-backdoor-variant/" title="Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy" role="link" data-page-track="true" data-page-track-value="muddled-libra:related-resources:Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/01_Malware_Category_1920x900-786x368.jpg" class="lozad" alt="Pictorial representation of SnipBot. Digital abstract background featuring binary code and technology symbols with a blue glow in the shape of a skull." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/01_Malware_Category_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/01_Malware_Category_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/01_Malware_Category_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/01_Malware_Category_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/01_Malware_Category_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="muddled-libra:related-resources:Inside SnipBot: The Latest RomCom Malware Variant:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2024-09-23T21:00:55+00:00">September 23, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/" data-page-track="true" data-page-track-value="muddled-libra:related-resources:Inside SnipBot: The Latest RomCom Malware Variant"> <h4 class="post-title">Inside SnipBot: The Latest RomCom Malware Variant</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/backdoor/" title="backdoor" role="link" data-page-track="true" data-page-track-value="muddled-libra:related-resources:Inside SnipBot: The Latest RomCom Malware Variant:backdoor">Backdoor</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/romcom/" title="RomCom" role="link" data-page-track="true" data-page-track-value="muddled-libra:related-resources:Inside SnipBot: The Latest RomCom Malware Variant:RomCom">RomCom</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/" title="Inside SnipBot: The Latest RomCom Malware Variant" role="link" data-page-track="true" data-page-track-value="muddled-libra:related-resources:Inside SnipBot: The Latest RomCom Malware Variant:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/08_Security-Technology_Category_1920x900-786x368.jpg" class="lozad" alt="A pictorial representation of a red team tool like Splinter. A digital illustration showing a 3D brain model surrounded by rising data columns on a circuit board, representing advanced artificial intelligence technology." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/08_Security-Technology_Category_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/08_Security-Technology_Category_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/08_Security-Technology_Category_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/08_Security-Technology_Category_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/08_Security-Technology_Category_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="muddled-libra:related-resources:Discovering Splinter: A First Look at a New Post-Exploitation Red Team Tool:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2024-09-19T10:00:43+00:00">September 19, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/analysis-pentest-tool-splinter/" data-page-track="true" data-page-track-value="muddled-libra:related-resources:Discovering Splinter: A First Look at a New Post-Exploitation Red Team Tool"> <h4 class="post-title">Discovering Splinter: A First Look at a New Post-Exploitation Red Team Tool</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/red-teaming-tool/" title="red teaming tool" role="link" data-page-track="true" data-page-track-value="muddled-libra:related-resources:Discovering Splinter: A First Look at a New Post-Exploitation Red Team Tool:red teaming tool">Red teaming tool</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/pentest-tool/" title="pentest tool" role="link" data-page-track="true" data-page-track-value="muddled-libra:related-resources:Discovering Splinter: A First Look at a New Post-Exploitation Red Team Tool:pentest tool">Pentest tool</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/analysis-pentest-tool-splinter/" title="Discovering Splinter: A First Look at a New Post-Exploitation Red Team Tool" role="link" data-page-track="true" data-page-track-value="muddled-libra:related-resources:Discovering Splinter: A First Look at a New Post-Exploitation Red Team Tool:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/word-image-449925-135181-16-786x368.png" class="lozad" alt="Pictorial representation of APT groups from North Korea. The silhouette of two fish and the Pisces constellation inside an orange abstract planet, surrounded by two larger blue fish. Abstract, stylized cosmic setting with vibrant blue and purple shapes, representing space and distant planetary bodies." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/word-image-449925-135181-16-786x368.png 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/word-image-449925-135181-16-1493x700.png 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/word-image-449925-135181-16-768x360.png 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/word-image-449925-135181-16-1536x720.png 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/word-image-449925-135181-16.png 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-actor-groups/" role="link" data-page-track="true" data-page-track-value="muddled-libra:related-resources:Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors:Threat Actor Groups"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/07/threat-actor-groups.svg" alt=" category icon">Threat Actor Groups</span></a> <span class="post-pub-date"><time datetime="2024-09-18T21:00:59+00:00">September 18, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/" data-page-track="true" data-page-track-value="muddled-libra:related-resources:Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors"> <h4 class="post-title">Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/python/" title="Python" role="link" data-page-track="true" data-page-track-value="muddled-libra:related-resources:Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors:Python">Python</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/cryptocurrency/" title="Cryptocurrency" role="link" data-page-track="true" data-page-track-value="muddled-libra:related-resources:Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors:Cryptocurrency">Cryptocurrency</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/north-korea/" title="North Korea" role="link" data-page-track="true" data-page-track-value="muddled-libra:related-resources:Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors:North Korea">North Korea</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/" title="Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors" role="link" data-page-track="true" data-page-track-value="muddled-libra:related-resources:Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/Pisces-NK-A-1920x900-1-786x368.png" class="lozad" alt="Illustrative image featuring two fish and the Pisces constellation superimposed on a stylized, abstract background with flowing purple waves and a starry night sky." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/Pisces-NK-A-1920x900-1-786x368.png 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/Pisces-NK-A-1920x900-1-1493x700.png 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/Pisces-NK-A-1920x900-1-768x360.png 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/Pisces-NK-A-1920x900-1-1536x720.png 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/Pisces-NK-A-1920x900-1.png 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/top-cyberthreats/" role="link" data-page-track="true" data-page-track-value="muddled-libra:related-resources:Threat Assessment: North Korean Threat Groups:High Profile Threats"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/07/top-threats.svg" alt=" category icon">High Profile Threats</span></a> <span class="post-pub-date"><time datetime="2024-09-09T22:00:58+00:00">September 9, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/" data-page-track="true" data-page-track-value="muddled-libra:related-resources:Threat Assessment: North Korean Threat Groups"> <h4 class="post-title">Threat Assessment: North Korean Threat Groups</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/north-korea/" title="North Korea" role="link" data-page-track="true" data-page-track-value="muddled-libra:related-resources:Threat Assessment: North Korean Threat Groups:North Korea">North Korea</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/remote-access-trojan/" title="Remote Access Trojan" role="link" data-page-track="true" data-page-track-value="muddled-libra:related-resources:Threat Assessment: North Korean Threat Groups:Remote Access Trojan">Remote Access Trojan</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/finance/" title="Finance" role="link" data-page-track="true" data-page-track-value="muddled-libra:related-resources:Threat Assessment: North Korean Threat Groups:Finance">Finance</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/" title="Threat Assessment: North Korean Threat Groups" role="link" data-page-track="true" data-page-track-value="muddled-libra:related-resources:Threat Assessment: North Korean Threat Groups:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> </div> </div> <div class="l-container bs__controls"> <div class="bs__progress"><span></span></div> <div class="bs__navigation"> <ul> <li> <button id="prevButton"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/slider-arrow-left.svg" alt="Slider arrow"></button> </li> <li> <button id="nextButton"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/slider-arrow-left.svg" alt="Slider arrow"></button> </li> </ul> </div> </div> </div> <div class="be-enlarge-modal" id="enlargedModal"> <div class="be-enlarge-modal__wrapper"> <figure> <button class="close__modal" id="closeModal"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/close-modal.svg" alt="Close button"></button> <img class="be__enlarged-image" id="enlargedImage" src="" alt="Enlarged Image"> <figcaption> </figcaption> </figure> </div> </div> </div> </section> </main>  <div class="newsletter"> <div class="l-container"> <div class="newsletter__wrapper"> <div class="image__wrapper"> <picture> <source class="lozad" media="(max-width:400px)" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/newsletter-Image-mobile.webp"> <source class="lozad" media="(max-width:949px)" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/newsletter-Image-tab.webp"> <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/Revitalized_newsletter-Image-desktop-copy-1.webp" alt="Newsletter"> </picture> </div> <div class="content__wrapper"> <span class="pre-title"> <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/palo-alto-logo-small.svg" alt="UNIT 42 Small Logo"> Get updates from Unit 42 </span> <h2>Peace of mind comes from staying ahead of threats. Contact us today.</h2> <form action="https://www.paloaltonetworks.com/apps/pan/public/formsubmithandler.submitform.json" method="post" novalidate class="subscribe-form" name="Unit42_Subscribe" id="unit42footerSubscription_form"> <input type="hidden" name="emailFormMask" value=""> <input type="hidden" value="1086" name="formid"> <input type="hidden" value="531-OCS-018" name="munchkinId"> <input type="hidden" value="2141" name="lpId"> <input type="hidden" value="1203" name="programId"> <input type="hidden" value="1086" name="formVid"> <input type="hidden" name="mkto_optinunit42" value="true"> <input type="hidden" name="mkto_opt-in" value="true"> <div class="form-group"> <label for="newsletter-email" id="newsletter-email-label">Your Email</label> <input type="emal" placeholder="Your Email" name="Email" class="subscribe-field" id="newsletter-email" aria-labelledby="newsletter-email-label"> <p class="error-mail mb-15 text-danger" style="color: #dc3545"></p> <p>Subscribe for email updates to all Unit 42 threat research.<br />By submitting this form, you agree to our <a title="Terms of Use" href="https://www.paloaltonetworks.com/legal-notices/terms-of-use" data-page-track="true" data-page-track-value="Get updates from Unit 42:Terms of Use">Terms of Use</a> and acknowledge our <a title="Privacy Statement" href="https://www.paloaltonetworks.com/legal-notices/privacy" data-page-track="true" data-page-track-value="Get updates from Unit 42:Privacy Statement">Privacy Statement.</a></p> <div class="g-recaptcha" data-expired-callback="captchaExpires" data-callback="captchaComplete" data-sitekey="6Lc5EhgTAAAAAJa-DzE7EeWABasWg4LKv-R3ao6o"></div> <p class="error-recaptcha d-none mt-15 text-danger" style="color: #dc3545">Invalid captcha!</p> <button class="l-btn is-disabled" data-page-track="true" data-page-track-value="footer:Get updates from Unit 42:Subscribe" id="unit42footerSubscription_form_button"> Subscribe <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/right-arrow.svg" alt="Right Arrow" class="arrow"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-loader.svg" alt="loader" class="loader"> </button> <div class="form-success-message"></div> </div> </form> </div> </div> </div> </div> <script> (function($) { // Migrated from the unit42-v5 + Modifications var subscribeSuccess = false; var email = document.getElementById('newsletter-email'); var subscription_form = document.getElementById('unit42footerSubscription_form'); var subscription_form_button = document.getElementById('unit42footerSubscription_form_button'); window.captchaComplete = function() { subscribeSuccess = true; if ($(mail).val() != '' && isEmail($(mail).val())) { $(subscription_form_button).removeClass('is-disabled'); } setTimeout(function() { $(email).focus(); $('.g-recaptcha iframe').attr('tabindex', '-1'); }, 100) } window.captchaExpires = function() { subscribeSuccess = false; $(subscription_form_button).addClass('is-disabled', true); } $(subscription_form).submit(function(e) { e.preventDefault(); e.stopImmediatePropagation(); updateEmailMask(); var success = true; var form = $(this); var mail = form.find('input[name="Email"]'); if (mail.val() === '') { mail.addClass('has-error'); showError(1); success = false; } else if (!isEmail(mail.val())){ showError(2); success = false; } else { mail.removeClass('has-error'); $('.error-mail').addClass('d-none'); } if (!subscribeSuccess) { $('.error-recaptcha').removeClass('d-none'); } else { $('.error-recaptcha').addClass('d-none'); } if (success && subscribeSuccess) { $.ajax({ type: 'POST', url: form.attr('action'), data: form.serialize(), beforeSend: function() { form.find('button').addClass('is-loading'); }, success: function(msg) { form.find('.form-success-message').html('<p class="success-message">You have been successfully subscribed</p>'); form.find('button').removeClass('is-loading'); $(email).val(''); clearError(); }, error: function(jqXHR, textStatus, errorThrown) { $(subscription_form_button).addClass('is-disabled', true); form.find('button').removeClass('is-loading'); } }); } return false; }); function showError(error_type){ if(error_type == 1) { $('.error-mail').text("Please enter the email address.").addClass('error-show'); $(subscription_form_button).addClass('is-disabled'); } else if(error_type == 2){ $('.error-mail').text("Please provide a valid e-mail address.").addClass('error-show'); $(subscription_form_button).addClass('is-disabled'); } $(subscription_form_button).removeClass('is-loading'); } function clearError(){ $('.error-mail').text("").removeClass('error-show');; $(subscription_form_button).removeClass('is-loading'); $(subscription_form_button).removeClass('is-disabled'); } $(email).on('input', function (event) { var email = $(this).val(); if (isEmail(email) ) { clearError(); } else if(email == ""){ clearError(); } else{ showError(2); } }); function isEmail(email) { var re = /^(([^<>()\[\]\\.,;:\s@"]+(\.[^<>()\[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/; return re.test(String(email).toLowerCase()); } var captcha_loaded = false; if(!captcha_loaded){ // recaptcha on foucs call $(document).on('change paste keyup', '#newsletter-email', function () { if($('.g-recaptcha').hasClass('d-none')){ $('.g-recaptcha').removeClass('d-none'); } if(!captcha_loaded ){ captcha_loaded = true; // trigger loading api.js (recaptcha.js) script var head = document.getElementsByTagName('head')[0]; var script = document.createElement('script'); script.type = 'text/javascript'; script.src = 'https://www.google.com/recaptcha/api.js?hl=en_US'; head.appendChild(script); } }); } function updateEmailMask() { var email = $("#unit42footerSubscription_form input[name='Email']").val(); if (email && email.trim() != '') { var maskedEmail = maskEmailAddress(email); $("#unit42footerSubscription_form input[name='emailFormMask']").val(maskedEmail); } } function maskEmailAddress (emailAddress) { function mask(str) { var strLen = str.length; if (strLen > 4) { return str.substr(0, 1) + str.substr(1, strLen - 1).replace(/\w/g, '*') + str.substr(-1,1); } return str.replace(/\w/g, '*'); } return emailAddress.replace(/([\w.]+)@([\w.]+)(\.[\w.]+)/g, function (m, p1, p2, p3) { return mask(p1) + '@' + mask(p2) + p3; }); return emailAddress; } }(jQuery)); //# sourceMappingURL=main.js.map </script>  <footer class="footer"> <div class="footer-menu"> <div class="l-container"> <div class="footer-menu__wrapper"> <div class="footer-menu-nav__wrapper"> <h3 class="footer-menu-nav__title">Products and services</h3> <div class="nav-column__wrapper"> <div class="nav-column"> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item nav-title"> <a href="https://www.paloaltonetworks.com/network-security" role="link" title="Network Security Platform" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform">Network Security Platform</a> </li> <li class="footer-menu-nav__item nav-title"> <a href="https://www.paloaltonetworks.com/network-security/security-subscriptions" role="link" title="CLOUD DELIVERED SECURITY SERVICES" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES">CLOUD DELIVERED SECURITY SERVICES</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/network-security/advanced-threat-prevention" target=_blank role="link" title="Advanced Threat Prevention" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention">Advanced Threat Prevention</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/network-security/advanced-dns-security" role="link" title="DNS Security" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security">DNS Security</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/network-security/enterprise-data-loss-prevention" role="link" title="Data Loss Prevention" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention">Data Loss Prevention</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/network-security/enterprise-iot-security" role="link" title="IoT Security" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security">IoT Security</a> </li> </ul> </nav> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item nav-title"> <a href="https://www.paloaltonetworks.com/network-security/next-generation-firewall" role="link" title="Next-Generation Firewalls" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls">Next-Generation Firewalls</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/network-security/next-generation-firewall-hardware" role="link" title="Hardware Firewalls" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls">Hardware Firewalls</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/network-security/strata-cloud-manager" role="link" title="Strata Cloud Manager" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls:Strata Cloud Manager">Strata Cloud Manager</a> </li> </ul> </nav> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item nav-title"> <a href="https://www.paloaltonetworks.com/sase" role="link" title="SECURE ACCESS SERVICE EDGE" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls:Strata Cloud Manager:SECURE ACCESS SERVICE EDGE">SECURE ACCESS SERVICE EDGE</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/sase/access" role="link" title="Prisma Access" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls:Strata Cloud Manager:SECURE ACCESS SERVICE EDGE:Prisma Access">Prisma Access</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/sase/sd-wan" role="link" title="Prisma SD-WAN" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls:Strata Cloud Manager:SECURE ACCESS SERVICE EDGE:Prisma Access:Prisma SD-WAN">Prisma SD-WAN</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/sase/adem" role="link" title="Autonomous Digital Experience Management" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls:Strata Cloud Manager:SECURE ACCESS SERVICE EDGE:Prisma Access:Prisma SD-WAN:Autonomous Digital Experience Management">Autonomous Digital Experience Management</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/sase/next-gen-casb" role="link" title="Cloud Access Security Broker" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls:Strata Cloud Manager:SECURE ACCESS SERVICE EDGE:Prisma Access:Prisma SD-WAN:Autonomous Digital Experience Management:Cloud Access Security Broker">Cloud Access Security Broker</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/sase/ztna" role="link" title="Zero Trust Network Access" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls:Strata Cloud Manager:SECURE ACCESS SERVICE EDGE:Prisma Access:Prisma SD-WAN:Autonomous Digital Experience Management:Cloud Access Security Broker:Zero Trust Network Access">Zero Trust Network Access</a> </li> </ul> </nav> </div> <div class="nav-column"> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item nav-title"> <a href="https://www.paloaltonetworks.com/prisma/whyprisma" role="link" title="Code to Cloud Platform" data-page-track="true" data-page-track-value="footer:Products and services:Code to Cloud Platform">Code to Cloud Platform</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/prisma/cloud" role="link" title="Prisma Cloud" data-page-track="true" data-page-track-value="footer:Products and services:Code to Cloud Platform:Prisma Cloud">Prisma Cloud</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/content/pan/en_US/prisma/cloud/cloud-native-application-protection-platform" role="link" title="Cloud-Native Application Protection Platform" data-page-track="true" data-page-track-value="footer:Products and services:Code to Cloud Platform:Prisma Cloud:Cloud-Native Application Protection Platform">Cloud-Native Application Protection Platform</a> </li> </ul> </nav> </div> <div class="nav-column"> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item nav-title"> <a href="https://www.paloaltonetworks.com/cortex" target=_blank role="link" title="AI-Driven Security Operations Platform" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform">AI-Driven Security Operations Platform</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/cortex-xdr" role="link" title="Cortex XDR" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform:Cortex XDR">Cortex XDR</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/cortex-xsoar" role="link" title="Cortex XSOAR" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform:Cortex XDR:Cortex XSOAR">Cortex XSOAR</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/cortex-xpanse" role="link" title="Cortex Xpanse" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform:Cortex XDR:Cortex XSOAR:Cortex Xpanse">Cortex Xpanse</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/cortex-xsiam" role="link" title="Cortex XSIAM" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform:Cortex XDR:Cortex XSOAR:Cortex Xpanse:Cortex XSIAM">Cortex XSIAM</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/cortex-xpanse/attack-surface-management" role="link" title="External Attack Surface Protection" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform:Cortex XDR:Cortex XSOAR:Cortex Xpanse:Cortex XSIAM:External Attack Surface Protection">External Attack Surface Protection</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/security-operations-automation" role="link" title="Security Automation" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform:Cortex XDR:Cortex XSOAR:Cortex Xpanse:Cortex XSIAM:External Attack Surface Protection:Security Automation">Security Automation</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/detection-and-response" role="link" title="Threat Prevention, Detection & Response" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform:Cortex XDR:Cortex XSOAR:Cortex Xpanse:Cortex XSIAM:External Attack Surface Protection:Security Automation:Threat Prevention, Detection & Response">Threat Prevention, Detection & Response</a> </li> </ul> </nav> </div> <div class="nav-column"> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item nav-title"> <a href="https://www.paloaltonetworks.com/unit42" role="link" title="Threat Intel and Incident Response Services" data-page-track="true" data-page-track-value="footer:Products and services:Threat Intel and Incident Response Services">Threat Intel and Incident Response Services</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/unit42/assess" role="link" title="Proactive Assessments" data-page-track="true" data-page-track-value="footer:Products and services:Threat Intel and Incident Response Services:Proactive Assessments">Proactive Assessments</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/unit42/respond" role="link" title="Incident Response" data-page-track="true" data-page-track-value="footer:Products and services:Threat Intel and Incident Response Services:Proactive Assessments:Incident Response">Incident Response</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/unit42/transform" role="link" title="Transform Your Security Strategy" data-page-track="true" data-page-track-value="footer:Products and services:Threat Intel and Incident Response Services:Proactive Assessments:Incident Response:Transform Your Security Strategy">Transform Your Security Strategy</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/unit42/threat-intelligence-partners" role="link" title="Discover Threat Intelligence" data-page-track="true" data-page-track-value="footer:Products and services:Threat Intel and Incident Response Services:Proactive Assessments:Incident Response:Transform Your Security Strategy:Discover Threat Intelligence">Discover Threat Intelligence</a> </li> </ul> </nav> </div> </div> </div> <div class="footer-menu-nav__wrapper"> <h3 class="footer-menu-nav__title">Company</h3> <div class="nav-column__wrapper"> <div class="nav-column"> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/about-us" role="link" title="About Us" data-page-track="true" data-page-track-value="footer:Company:About Us">About Us</a> </li> <li class="footer-menu-nav__item "> <a href="https://jobs.paloaltonetworks.com/en/" role="link" title="Careers" data-page-track="true" data-page-track-value="footer:Company:About Us:Careers">Careers</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/company/contact-sales" role="link" title="Contact Us" data-page-track="true" data-page-track-value="footer:Company:About Us:Careers:Contact Us">Contact Us</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/about-us/corporate-responsibility" role="link" title="Corporate Responsibility" data-page-track="true" data-page-track-value="footer:Company:About Us:Careers:Contact Us:Corporate Responsibility">Corporate Responsibility</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/customers" role="link" title="Customers" data-page-track="true" data-page-track-value="footer:Company:About Us:Careers:Contact Us:Corporate Responsibility:Customers">Customers</a> </li> <li class="footer-menu-nav__item "> <a href="https://investors.paloaltonetworks.com/" target=_blank role="link" title="Investor Relations" data-page-track="true" data-page-track-value="footer:Company:About Us:Careers:Contact Us:Corporate Responsibility:Customers:Investor Relations">Investor Relations</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/about-us/locations" role="link" title="Location" data-page-track="true" data-page-track-value="footer:Company:About Us:Careers:Contact Us:Corporate Responsibility:Customers:Investor Relations:Location">Location</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/company/newsroom" role="link" title="Newsroom" data-page-track="true" data-page-track-value="footer:Company:About Us:Careers:Contact Us:Corporate Responsibility:Customers:Investor Relations:Location:Newsroom">Newsroom</a> </li> </ul> </nav> </div> </div> </div> <div class="footer-menu-nav__wrapper"> <h3 class="footer-menu-nav__title">Popular links</h3> <div class="nav-column__wrapper"> <div class="nav-column"> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/blog/" role="link" title="Blog" data-page-track="true" data-page-track-value="footer:Popular links:Blog">Blog</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/communities" role="link" title="Communities" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities">Communities</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/resources" role="link" title="Content Library" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library">Content Library</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cyberpedia" role="link" title="Cyberpedia" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia">Cyberpedia</a> </li> <li class="footer-menu-nav__item "> <a href="https://events.paloaltonetworks.com/" role="link" title="Event Center" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center">Event Center</a> </li> <li class="footer-menu-nav__item "> <a href="https://start.paloaltonetworks.com/preference-center" role="link" title="Manage Email Preferences" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences">Manage Email Preferences</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/products/products-a-z" role="link" title="Products A-Z" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences:Products A-Z">Products A-Z</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/legal-notices/trust-center/tech-certs" role="link" title="Product Certifications" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences:Products A-Z:Product Certifications">Product Certifications</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/security-disclosure" role="link" title="Report a Vulnerability" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences:Products A-Z:Product Certifications:Report a Vulnerability">Report a Vulnerability</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/sitemap" role="link" title="Sitemap" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences:Products A-Z:Product Certifications:Report a Vulnerability:Sitemap">Sitemap</a> </li> <li class="footer-menu-nav__item "> <a href="https://docs.paloaltonetworks.com/" role="link" title="Tech Docs" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences:Products A-Z:Product Certifications:Report a Vulnerability:Sitemap:Tech Docs">Tech Docs</a> </li> <li class="footer-menu-nav__item "> <a href="https://unit42.paloaltonetworks.com/" role="link" title="Unit 42" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences:Products A-Z:Product Certifications:Report a Vulnerability:Sitemap:Tech Docs:Unit 42">Unit 42</a> </li> <li class="footer-menu-nav__item "> <a href="https://panwedd.exterro.net/portal/dsar.htm?target=panwedd" target=_blank role="link" title="Do Not Sell or Share My Personal Information" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences:Products A-Z:Product Certifications:Report a Vulnerability:Sitemap:Tech Docs:Unit 42:Do Not Sell or Share My Personal Information">Do Not Sell or Share My Personal Information</a> </li> </ul> </nav> </div> </div> </div> </div> </div> </div> <div class="footer-bottom"> <div class="l-container"> <div class="footer-logo"> <a href="https://www.paloaltonetworks.com/" role="link" title="Footer Nav" data-page-track="true" data-page-track-value="footer:logo:Palo Alto Networks"> <img width="245" height="46" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/palo-alto-footer-logo.svg" class="attachment-medium size-medium" alt="" decoding="async" loading="lazy" /> </a> </div> <div class="footer-bottom__wrapper"> <div class="footer-bottom-nav"> <nav> <ul class="footer-menu-nav__list"> <li> <a href="https://www.paloaltonetworks.com/legal-notices/privacy" role="link" title="Privacy" data-page-track="true" data-page-track-value="footer:bottom-menu:Privacy">Privacy</a> </li> <li> <a href="https://www.paloaltonetworks.com/legal-notices/trust-center" role="link" title="Trust Center" data-page-track="true" data-page-track-value="footer:bottom-menu:Trust Center">Trust Center</a> </li> <li> <a href="https://www.paloaltonetworks.com/legal-notices/terms-of-use" role="link" title="Terms of Use" data-page-track="true" data-page-track-value="footer:bottom-menu:Terms of Use">Terms of Use</a> </li> <li> <a href="https://www.paloaltonetworks.com/legal" role="link" title="Documents" data-page-track="true" data-page-track-value="footer:bottom-menu:Documents">Documents</a> </li> </ul> </nav> <br/><span class="copyright">Copyright © 2024 Palo Alto Networks. All Rights Reserved</span> </div> <div class="footer-bottom-social"> <ul> <li> <a href="https://www.youtube.com/user/paloaltonetworks" target="_blank" role="link" title="YouTube" data-page-track="true" data-page-track-value="footer:social:Youtube"> <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/youtube-black.svg" alt="YouTube"> </a> </li> <li> <a href="https://twitter.com/Unit42_Intel" target="_blank" role="link" title="X" data-page-track="true" data-page-track-value="footer:social::Twitter"> <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/x-icon-black.svg" alt="Twitter"> </a> </li> <li> <a href="https://www.facebook.com/PaloAltoNetworks/" target="_blank" role="link" title="Facebook" data-page-track="true" data-page-track-value="footer:social:Facebook"> <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/Facebook_Icon.svg" alt="Facebook"> </a> </li> <li> <a href="https://www.linkedin.com/company/palo-alto-networks" target="_blank" role="link" title="LinkedIn" data-page-track="true" data-page-track-value="footer:social:LinkedIn"> <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/LinkedIn_Icon.svg" alt="LinkedIn"> </a> </li> <li> <a href="https://unit42.paloaltonetworks.com/unit-42-threat-vector-podcast/" role="link" title="Podcast" data-page-track="true" data-page-track-value="footer:social:Podcast"> <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/Podcast.svg" alt="Podcast"> </a> </li> </ul> <div class="pa language-dropdown"> <div class="language-dropdown__wrapper"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/globe-icon.svg" alt="Globe icon"> <span id="selectedLanguage">EN</span> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/down-arrow.svg" alt="Down arrow"><ul><li class="title">Select your language</li> <li class="selected" data-value="en"> <a data-page-track="true" data-page-track-value="footer:language-selector:en" href="https://unit42.paloaltonetworks.com/muddled-libra/">USA (ENGLISH)</a> </li> <li class="non-active" data-value="en"> <a data-page-track="true" data-page-track-value="footer:language-selector:ja" href="https://unit42.paloaltonetworks.jp/muddled-libra/">JAPAN (日本語)</a> </li></ul> </div> </div> </div> </div> </footer> <div class="dd-overlay"> </div>  <div class="modal video__modal" id="videoModal" tabindex="-1"> <div class="modal__video-wrapper"> <button class="modal__play-btn is-minimized is-paused" id="playPauseBtn"> <img class="play" src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/player-play-icon.svg" alt="Play"> <img class="pause" src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/player-pause-icon1.svg" alt="Pause"> </button> <button class="modal__minimize-btn is-minimized"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-minimize.svg" alt="Minimize"> </button> <button class="modal__close"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/close-modal.svg" alt="Close button"> </button> <video class="modal__video" id="customVideo"> <source src="" type="video/mp4">Your browser does not support the video tag. </video> <div class="modal__post-details" tabindex="-1"> <h3>Default Heading</h3> <a class="l-btn" href="#" title="Right Arrow Icon" role="link" data-page-track="true" data-page-track-value="overview:explore reports:View all reports">Read the article <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/right-arrow.svg" alt="Right Arrow"> </a> </div> <div class="modal__video-controls"> <div class="modal__video-seekbar input__wrapper"><span></span> <label class="is-hidden" for="modalSeekBar">Seekbar</label> <input class="custom-range" id="modalSeekBar" type="range" min="0" max="100" value="1"> <p class="modal__remaining-time"></p> </div> <button class="modal__play-btn is-paused" id="playPauseBtn"> <img class="play" src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/player-play-icon.svg" alt="Play"> <img class="pause" src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/player-pause-icon1.svg" alt="Pause"> </button> <div class="modal__volume-controls"> <div class="modal__volume__wrapper"> <button tabindex="0"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-volume.svg" alt="Volume"> </button> <div class="modal__volume-seekbar"><span></span> <label class="is-hidden" for="volumeBar">Volume</label> <input class="volume__bar" id="volumeBar" type="range" min="0" max="1" step="0.1" value="0.7"> </div> </div> <button class="modal__minimize-btn" id="minimizeBtn"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-minimize.svg" alt="Minimize"> </button> </div> </div> </div> </div> <script type="text/javascript"> var isProcessing = false; function alter_ul_post_values(obj,post_id,ul_type){ if (isProcessing) return; isProcessing = true; var like_nonce = jQuery('#_wpnonce').val(); jQuery(obj).find("span").html(".."); jQuery.ajax({ type: "POST", url: "https://unit42.paloaltonetworks.com/wp-content/plugins/like-dislike-counter-for-posts-pages-and-comments/ajax_counter.php", data: "post_id="+post_id+"&up_type="+ul_type+"&ul_nonce="+like_nonce, success: function(msg){ jQuery(obj).find("span").html(msg); isProcessing = false; jQuery(obj).find('svg').children('path').attr('stroke','#0050FF'); jQuery(obj).removeClass('idc_ul_cont_not_liked idc_ul_cont_not_liked_inner'); } }); } </script> <link rel='stylesheet' id='wpdevart_lightbox_front_end_css-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/lightbox-popup/includes/style/wpdevart_lightbox_front.css?ver=6.6.2' media='all' /> <script src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/js/script.js?ver=1.0.0" id="unit42-v6-navigation-js"></script>  <script type="text/javascript"> const observer_lozad = lozad('.lozad, .lozad-background'); // lazy loads elements with default selector as '.lozad' observer_lozad.observe(); window.PAN_Clean_Util = { isIE: false }; (function () { // INP Util Fix function yieldToMain(ms) { return new Promise(resolve => setTimeout(resolve, ms)); } window.PAN_Clean_Util.yieldToMain = yieldToMain })(); if(referer == "Prisma" || referer == "Cortex" || referer == "Sase" || referer == "Unit" || referer == "Ngfw"){ var Coveo_organizationId = "paloaltonetworksintranet"; var techDocsPagePath = "https://docs.paloaltonetworks.com/search.html#hd=All%20Prisma%20Cloud%20Documentation&hq=%40panproductcategory%3D%3D(%22Prisma%20Cloud%22)&sort=relevancy&layout=card&numberOfResults=25"; var languageFromPath="en_US"; window.Granite = window.Granite || {}; Granite.I18n = (function() { var self = {}; self.setLocale = function(locale) { }; self.get = function(text, snippets, note) { var out = ""; if(text){ if(text ==="coveo.clear"){ out = "Clear"; }else if(text ==="coveo.noresultsfound"){ out = "No results found for this search term."; } } return out; }; return self }()); } var main_site_critical_top = maindomain_lang+'/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTop.min.js'; var main_site_defered = maindomain_lang+'/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/defered.min.js'; var main_site_criticalTopBase = maindomain_lang+'/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTopBase.min.js'; var main_site_criticalTopProductNav = maindomain_lang+'/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTopProductNav.min.js'; window.PAN_MainNavAsyncUrl = maindomain_lang+"/_jcr_content/globals/cleanHeaderPrisma.prismaRenderer.html"; function loadScript(url, defer){ var script1 = document.createElement('script'); script1.setAttribute('type', 'text/javascript'); script1.setAttribute('src',url); if(defer == true){ script1.setAttribute('defer','defer'); } document.head.appendChild(script1); } function loadScript1(url, callback){ var script = document.createElement("script") script.type = "text/javascript"; if (script.readyState){ //IE script.onreadystatechange = function(){ if (script.readyState == "loaded" || script.readyState == "complete"){ script.onreadystatechange = null; callback(); } }; } else { //Others script.onload = function(){ callback(); }; } script.src = url; document.getElementsByTagName("head")[0].appendChild(script); } if(referer == "Prisma" || referer == "Cortex" || referer == "Sase" || referer == "Unit" || referer == "Ngfw"){ if(referer == "Unit"){ setTimeout(function(){ loadScript(main_site_criticalTopBase, false); loadScript1(main_site_criticalTopProductNav, function(){ window.PAN_initializeProduct2021Nav(); }); loadScript(main_site_defered, false); }, 3000); } else{ setTimeout(function(){ loadScript1(main_site_critical_top, function(){ window.PAN_initializeProduct2021Nav(); }); loadScript(main_site_defered, false); }, 3000); } } $(document).ready(function () { setTimeout(function(){ $('.article-banner .ab__options ul li a').each(function(){ $(this).attr('target', "_blank"); }); }, 4000); }); </script>  </body> </html>