Chinese hacker groups Murky, Genesis, and Glacial Panda targeting cloud computing and telecommunications

Cybersecurity researchers have raised alarms about the malicious activities of a China-nexus cyber espionage group known as Murky Panda, which exploits trusted relationships in the cloud to infiltrate enterprise networks. According to a report by CrowdStrike, this adversary has demonstrated a significant capability to rapidly weaponise N-day and zero-day vulnerabilities, often gaining initial access to targets by exploiting internet-facing appliances. Murky Panda, also referred to as Silk Typhoon (formerly Hafnium), gained notoriety for its zero-day exploitation of Microsoft Exchange Server vulnerabilities in 2021. The group has targeted a range of sectors, including government, technology, academia, legal, and professional services across North America. In March, Microsoft highlighted a shift in Murky Panda’s tactics, noting its focus on the information technology supply chain to gain access to corporate networks, with operations primarily driven by intelligence gathering.

Murky Panda’s methods include the exploitation of internet-facing appliances and the compromise of small office/home office (SOHO) devices located in the targeted country, which serve as exit nodes to evade detection. The group has also exploited known security flaws in Citrix NetScaler ADC and NetScaler Gateway (CVE-2023-3519) and Commvault (CVE-2025-3928). Initial access allows the deployment of web shells like neo-reGeorg, ultimately leading to the installation of a custom malware called CloudedHope. This 64-bit ELF binary, written in Golang, functions as a basic remote access tool (RAT) while employing anti-analysis and operational security measures to conceal its presence. A notable aspect of Murky Panda’s operations is its abuse of trusted relationships between partner organisations and their cloud tenants, using zero-day vulnerabilities to breach software-as-a-service (SaaS) providers’ environments. In a specific instance observed in late 2024, the group compromised a supplier of a North American entity, leveraging administrative access to add a temporary backdoor Entra ID account, which facilitated further access to emails and Active Directory management.