A Chinese state-sponsored hacking group tracked as Murky Panda, also known as Silk Typhoon, is systematically exploiting trusted relationships within cloud environments to gain initial access to the networks and data of downstream customers1. This campaign, which primarily targets organizations in North America across government, technology, academic, and legal sectors, demonstrates a sophisticated understanding of cloud identity infrastructure and supply chain trust2. Security researchers at CrowdStrike assess that these operations are likely driven by intelligence-collection objectives, posing a significant threat to critical infrastructure and sensitive data3.
Initial Access Through Cloud Trust Exploitation
Murky Panda operators have developed a signature technique of compromising trusted relationships within cloud environments, effectively turning identity infrastructure into a launchpad for attacks1. In one documented case, the group exploited a zero-day vulnerability in a Software-as-a-Service (SaaS) provider, then leveraged a stolen Entra ID application registration secret to impersonate service principals and access downstream customer data and emails1. Another incident involved compromising a Microsoft Cloud Solution Provider (CSP), where after gaining a Global Administrator account, the threat actors created a backdoor user with broad privileges to persist and exfiltrate emails from downstream customers1. This method allows the attackers to bypass traditional perimeter defenses by exploiting established trust relationships between cloud service providers and their clients.
Technical TTPs and Malware Arsenal
The group employs multiple techniques for maintaining persistence and moving laterally within compromised environments. They heavily rely on web shells, particularly the Neo-reGeorg web shell, for maintaining access to compromised systems1. For Linux targets, Murky Panda has developed CloudedHope, a statically linked 64-bit ELF executable written in Golang that functions as a basic Remote Access Trojan (RAT) with anti-analysis and operational security features1. The group also demonstrates capability in rapidly weaponizing both N-day and zero-day vulnerabilities, including CVE-2023-3519 in Citrix NetScaler ADC & Gateway and CVE-2025-3928 in Commvault software, which was exploited to compromise Microsoft Azure instances and steal credentials4.
Broader Chinese APT Ecosystem Context
Murky Panda operates within a broader ecosystem of Chinese state-sponsored threat groups targeting cloud infrastructure. Genesis Panda demonstrates skill in manipulating cloud services and often acts as an Initial Access Broker targeting financial services, media, telecom, and technology across 11 countries2. Glacial Panda focuses on the telecommunications sector across Asia and the Americas, targeting Linux systems to exfiltrate call detail records using trojanized OpenSSH components codenamed ShieldSlide2. Another group, Evasive Panda (Bronze Highland), employs a sophisticated .NET framework called CloudScout that leverages stolen web session cookies to hijack authenticated sessions to cloud services like Microsoft Outlook, Gmail, and Google Drive, effectively bypassing multi-factor authentication mechanisms5.
Defensive Recommendations and Mitigation Strategies
Security experts recommend implementing strict monitoring of Entra ID credentials and service principal activities, as these have become primary targets for initial access1. Organizations should audit and vigilantly monitor new user additions in cloud environments, particularly those with elevated privileges. Regular and rapid patching for all software, especially cloud-facing applications and appliances, remains critical given the group’s rapid weaponization of vulnerabilities1. Monitoring for suspicious device logon behaviors and reviewing privileges for trusted third-party providers and Cloud Solution Providers can help detect and prevent these attacks. Adam Meyers of CrowdStrike advises organizations to “patch everything, patch it now,” while also emphasizing the importance of monitoring cloud permissions and delegated access6.
The Murky Panda campaign highlights the evolving threat landscape where nation-state actors increasingly target cloud infrastructure and supply chain relationships. This approach allows attackers to compromise multiple organizations through a single initial access point, maximizing their intelligence gathering capabilities while minimizing their operational footprint. Security teams must assume a defense-in-depth posture that incorporates rapid detection capabilities, tight public-private partnerships, and robust supply chain hygiene to effectively counter these advanced threats.
