Murky Panda, a China-related entity, strategically navigates through cloud services with lateral movements.

In its recently released 2025 Threat Hunting Report, CrowdStrike highlighted a significant trend: a 136% increase in cloud intrusions. A substantial portion of this rise is attributed to “China-nexus adversaries,” including the group known as Murky Panda (also referred to as Silk Typhoon). Active since at least 2023, Murky Panda primarily targets government, technology, academia, legal, and professional services sectors in North America, aiming to steal sensitive information. The group is notorious for exploiting n-day and zero-day vulnerabilities in internet-facing appliances for initial access, such as CVE-2023-3519, which affects Citrix NetScaler ADC and Gateway. They deploy webshells like Neo-reGeorg on compromised systems and utilise CloudedHope, a custom Linux malware with remote access capabilities. Additionally, they leverage compromised SOHO devices geolocated in the target countries as final exit nodes, making their attacks appear to originate locally.

CrowdStrike’s analysis revealed that Murky Panda has successfully exploited zero-day vulnerabilities to gain initial access to Software-as-a-Service (SaaS) providers’ cloud environments. Following these compromises, the group assessed the logic of the affected SaaS environments, allowing them to move laterally to downstream customers. In one instance, a SaaS provider victim was using Entra ID to manage access to its customers’ data. Murky Panda likely obtained access to the SaaS provider’s application registration secret, which enabled them to authenticate as service principals and log into downstream customers’ environments. This intrusion aligns with the February 2025 breach of Commvault’s Microsoft Azure cloud environment, which affected the M365 environments of their customers. In another case, Murky Panda compromised a Microsoft cloud solution provider with cross-tenant access to a downstream customer through Delegated Administrative Privileges (DAP). They exploited this access, along with Global Administrator privileges, to create a new user in the downstream victim’s tenant, granting them Application Administrator privileges and allowing them to add secrets to existing service principals. 

Categories: Cybersecurity Threats, Cloud Intrusions, Malware Tactics 

Tags: Cloud Intrusions, China-nexus Adversaries, Murky Panda, Vulnerabilities, Webshells, CloudedHope, SaaS Providers, Lateral Movement, Entra ID, Microsoft Azure