Unit 42 discovered a rogue virtual machine used by the cybercrime group Muddled Libra during an incident response investigation. The VM provided insights into the group's operational methods, including reconnaissance, tool downloads, persistence establishment, certificate theft, and interactions with the target's infrastructure. Muddled Libra created the VM after gaining unauthorized access to the target's VMware vSphere environment. The group's tactics involve minimal malware use, preferring to leverage the target's assets. Their attack chain included creating a VM, downloading tools, establishing C2, using stolen certificates, and attempting data exfiltration. The article details the group's activities, tools used, and troubleshooting efforts during the attack.