Murky Panda: Utilizing Trusted Relationships for Cyber Espionage
Cybersecurity experts have recently highlighted alarming activities linked to a cyber espionage group with ties to China, known as Murky Panda. This group is sophisticated in exploiting trusted relationships within cloud environments to infiltrate enterprise networks, raising significant concerns among organizations globally.
Exploiting Vulnerabilities and Initial Access
According to a report from CrowdStrike, Murky Panda has demonstrated an impressive capacity to leverage both N-day and zero-day vulnerabilities. Often, the group initiates attacks by targeting internet-facing appliances, which has proven to be an effective method for gaining initial access to various networks.
Renowned for its zero-day exploits tied to Microsoft Exchange Server flaws back in 2021, Murky Panda has effectively focused its attacks on a range of sectors, including governmental, technological, academic, legal, and professional services throughout North America. In March, Microsoft reported a shift in the group’s tactics, noting a clear move towards the information technology (IT) supply chain as a means to infiltrate corporate networks.
Tactics and Infection Pathways
Like many other state-sponsored hacking outfits, Murky Panda uses internet-facing appliances as entry points and has also been suspected of breaching small office and home office (SOHO) devices. This strategy allows them to mask their activities while operating inside the target country.
The group has exploited identified security flaws, notably in Citrix NetScaler ADC and Gateway (CVE-2023-3519) and Commvault (CVE-2025-3928). Once initial access is secured, they deploy web shells like neo-reGeorg for persistence and ultimately introduce a custom malware variant named CloudedHope.
Understanding CloudedHope
CloudedHope is a 64-bit ELF binary developed in Golang that serves as a rudimentary remote access tool (RAT). This malware is engineered to evade detection, incorporating anti-analysis measures such as modifying timestamps and removing evidence of its presence from affected systems.
Another striking characteristic of Murky Panda’s operations is their exploitation of trusted relationships between partner organizations to leverage cloud services. For instance, in late 2024, the group allegedly compromised a North American entity’s supplier. They utilized the supplier’s administrative access to add a backdoor Entra ID account, thereby facilitating unauthorized access to emails, showcasing their targeted approach.
Genesis Panda: Another Layer of Threat
Another China-linked group, Genesis Panda, has gained notoriety for similarly manipulating cloud services. Active since at least January 2024, Genesis Panda has engaged in widespread operations, impacting sectors such as financial services, telecommunications, and technology across multiple countries. The group aims for future intelligence-gathering while showing a consistent interest in cloud-hosted systems, utilizing various web-facing vulnerabilities to gain entry.
Observations on Genesis Panda’s Operations
CrowdStrike noted that Genesis Panda regularly queries the Instance Metadata Service (IMDS) associated with cloud servers to extract credentials for lateral movement and to enumerate network configurations. They also utilize credentials seemingly obtained from compromised virtual machines, further entrenching their foothold within targeted cloud environments.
Glacial Panda Targets Telecommunications
The telecommunications sector has experienced a 130% surge in nation-state activity recently, primarily due to its treasure trove of valuable intelligence. Among the latest threats is Glacial Panda, a Chinese group focused on this industry.
Attack Mechanisms and Targets
Operating across several countries, including Japan, India, and the United States, Glacial Panda’s attacks are primarily directed at Linux systems prevalent in telecommunications, including outdated operating systems that support older technologies. The group employs known vulnerabilities and weak passwords to breach internet-facing servers and has also leveraged privilege escalation vulnerabilities, such as CVE-2016-5195 and CVE-2021-4034.
In addition to traditional hacking techniques, Glacial Panda uses living-off-the-land tactics. Their methodology facilitates the deployment of trojanized OpenSSH components, branded ShieldSlide, which can capture user sessions and authentication credentials. This backdoor access can mislead security measures by authenticating even privileged accounts with simple hardcoded passwords.
The Evolving Landscape of Cyber Threats
As cybersecurity researchers continue to monitor these evolving threats, it becomes clear that Chinese hacking groups are advancing in their capabilities, particularly in exploiting and navigating cloud environments. Their dedication to stealth and persistence allows them to maintain access and conduct covert data harvesting across sectors, posing an increasing challenge to global cybersecurity measures.
