China-linked Murky Panda targets and moves laterally through cloud services

In its recently released 2025 Threat Hunting Report, Crowdstrike pointed out an interesting trend: a 136% surge in cloud intrusions. A good chunk of this surge is due to “China-nexus adversaries”, Murky Panda (aka Silk Typhoon) among them.

Murky Panda’s modus operandi

The group has been active since at least 2023, and is primarily focused on breaching government, technology, academia, legal, and professional services entities in North America and stealing sensitive information from them.

The group is known for:

• Leveraging n-day and zero-day vulnerabilities in internet-facing appliances for initial access (e.g., CVE-2023-3519, affecting Citrix NetScaler ADC and Gateway, and CVE-2025-3928, affecting Commvault’s backup platform)
• Deploying webshells (such as Neo-reGeorg) on compromised systems
• Using CloudedHope, custom Linux malware with remote access functionality
• Using compromised SOHO devices geolocated in the countries of the targets as final exit nodes, making attacks appear to originate locally

But, crucially, they also have a penchant for compromising cloud environments and using the trusted relationships within/between them to reach their intended victims.

Hopping through the cloud(s)

“In at least two cases analyzed by CrowdStrike, Murky Panda exploited zero-day vulnerabilities to achieve initial access to software-as-a-service (SaaS) providers’ cloud environments. Following the compromise, [the group] determined the compromised SaaS cloud environments’ logic, enabling them to leverage their access to that software to move laterally to downstream customers,” Crowdstrike researchers noted.

“At least one SaaS provider victim was using Entra ID to manage its SaaS application’s access to its downstream customers’ data. In this intrusion, Murky Panda almost certainly obtained access to the SaaS provider’s application registration secret, which the adversary then leveraged to authenticate as the service principals of that application and log into downstream customers’ environments. Next, leveraging their control over those service principals, Murky Panda accessed emails at the downstream customers.”

The researchers did not name the provider, though their description seems to fit that of the February 2025 breach of Commvault’s Microsoft Azure cloud environment and, through it, the M365 environments of their customers.

In another intrusion, Murky Panda compromised a Microsoft cloud solution provider that had cross-tenant access to a downstream customer via delegated administrative privileges (DAP).

The group used this access and the Global Administrator privileges and a compromised high-privileged user account to create a new user in a downstream victim’s tenant and add this user to several preexisting groups.

“One of those preexisting groups granted the backdoor user Application Administrator privileges, allowing Murky Panda to add secrets to preexisting service principals. With control over those newly added secrets, [the threat actor] successfully authenticated as those service principals, thereby escalating their privileges to those of the backdoored service principals.”

With those privileges, the group was able to read emails and add secrets to application registrations and service principals (for added persistence).

“Murky Panda is currently one of a few tracked adversaries that conduct trusted-relationship compromises in the cloud. Due to the activity’s rarity, this initial access vector to a victim’s cloud environment remains relatively undermonitored compared to more prominent initial access vectors such as valid cloud accounts and exploiting public-facing applications,” Crowdstrike researchers noted, and shared defense recommendations for organizations that rely heavily on cloud environments.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!