Cybersecurity researchers are calling consideration to malicious exercise orchestrated by a China-nexus cyber espionage group often known as Murky Panda that entails abusing trusted relationships within the cloud to breach enterprise networks.
“The adversary has additionally proven appreciable potential to shortly weaponize N-day and zero-day vulnerabilities and ceaselessly achieves preliminary entry to their targets by exploiting internet-facing home equipment,” CrowdStrike mentioned in a Thursday report.
Murky Panda, often known as Silk Storm (previously Hafnium), is greatest identified for its zero-day exploitation of Microsoft Alternate Server flaws in 2021. Assaults mounted by the hacking group have focused authorities, know-how, educational, authorized, {and professional} providers entities in North America.
Earlier this March, Microsoft detailed the menace actor’s shift in techniques, detailing its focusing on of the knowledge know-how (IT) provide chain as a way to acquire preliminary entry to company networks. It is assessed that Murky Panda’s operations are pushed by intelligence gathering.
Like different Chinese language hacking teams, Murky Panda has exploited internet-facing home equipment to acquire preliminary entry and is believed to have additionally compromised small workplace/residence workplace (SOHO) units which can be geolocated within the focused nation as an exit node to hinder detection efforts.
Different an infection pathways embrace exploitation of identified safety flaws in Citrix NetScaler ADC and NetScaler Gateway (CVE-2023-3519) and Commvault (CVE-2025-3928). The preliminary entry is leveraged to deploy net shells like neo-reGeorg to ascertain persistence and finally drop a customized malware referred to as CloudedHope.
A 64-bit ELF binary and written in Golang, CloudedHope capabilities as a primary distant entry device (RAT) whereas using anti-analysis and operational safety (OPSEC) measures, equivalent to modifying timestamps and deleting indicators of their presence in sufferer environments to fly underneath the radar.
However a notable facet of Murky Panda’s tradecraft considerations the abuse of trusted relationships between companion organizations and their cloud tenants, exploiting zero-day vulnerabilities to breach software-as-a-service (SaaS) suppliers’ cloud environments and conduct lateral motion to downstream victims.
In at the least one occasion noticed in late 2024, the menace actor is claimed to have compromised a provider of a North American entity and used the provider’s administrative entry to the sufferer entity’s Entra ID tenant so as to add a brief backdoor Entra ID account.
“Utilizing this account, the menace actor then backdoored a number of preexisting Entra ID service rules associated to Lively Listing administration and emails,” CrowdStrike mentioned. “The adversary’s targets seem focused in nature based mostly on their give attention to accessing emails.”
From Murky to Genesis
One other China-linked menace actor that has confirmed skilful at manipulating cloud providers is Genesis Panda, which has been noticed utilizing the infrastructure for primary exfiltration and focusing on cloud service supplier (CSP) accounts to broaden entry and set up fallback persistent mechanisms.
Lively since at the least January 2024, Genesis Panda has been attributed to high-volume operations focusing on the monetary providers, media, telecommunications, and know-how sectors spanning 11 nations. The aim of the assaults is to allow entry for future intelligence-collection exercise.
The chance that it acts as an preliminary entry dealer stems from the group’s exploitation of a variety of web-facing vulnerabilities and restricted information exfiltration.
“Though Genesis Panda targets quite a lot of techniques, they present constant curiosity in compromising cloud-hosted techniques to leverage the cloud management aircraft for lateral motion, persistence, and enumeration,” CrowdStrike mentioned.
The adversary has noticed “constantly” querying the Occasion Metadata Service (IMDS) related to a cloud-hosted server to acquire credentials for the cloud management aircraft and enumerate community and basic occasion configurations. It is also identified to make use of credentials, probably obtained from compromised digital machines (VMs), to burrow deeper into the goal’s cloud account.
The findings illustrate how Chinese language hacking teams have gotten more and more adept at breaking and navigating cloud environments, whereas additionally prioritizing stealth and persistence to make sure sustained entry and covert information harvesting.
Glacial Panda Strikes Telecom Sector
The telecommunications sector, per CrowdStrike, has witnessed a 130% enhance in nation-state exercise over the previous yr, primarily pushed by the very fact they’re a treasure trove of intelligence. The most recent menace actor to coach its sights on the business vertical is a Chinese language menace actor dubbed Glacial Panda.
The geographic footprint of the hacking group spans Afghanistan, Hong Kong, India, Japan, Kenya, Malaysia, Mexico, Panama, the Philippines, Taiwan, Thailand, and america.
“Glacial Panda extremely probably conducts focused intrusions for intelligence assortment functions, accessing and exfiltrating name element information and associated communications telemetry from a number of telecommunications organizations,” the cybersecurity firm mentioned.
“The adversary primarily targets Linux techniques typical within the telecommunications business, together with legacy working system distributions that help older telecommunications applied sciences.”
Assault chains applied by the menace actor make use of identified safety vulnerabilities or weak passwords geared toward internet-facing and unmanaged servers, with follow-on actions leveraging privilege escalation bugs like CVE-2016-5195 (aka Soiled COW) and CVE-2021-4034 (aka PwnKit).
Moreover counting on living-off-the-land (LotL) strategies, Glacial Panda’s intrusions pave the way in which for the deployment of trojanized OpenSSH parts, collectively codenamed ShieldSlide, to collect consumer authentication periods and credentials.
“The ShieldSlide-trojanized SSH server binary additionally offers backdoor entry, authenticating any account (together with root) when a hardcoded password is entered,” CrowdStrike mentioned.
