The Chinese cyber espionage group Murky Panda, also known as Silk Typhoon, is now using a new tactic of exploiting trusted cloud relationships to breach enterprise networks. They achieve initial access by exploiting vulnerabilities in internet-facing appliances and then use their custom malware, CloudedHope, to maintain a covert presence for intelligence gathering.
A sophisticated Chinese cyber espionage group, Murky Panda, is gaining attention from cybersecurity researchers for its advanced and evolving tactics. Known to some as Silk Typhoon, the group has a history of high-profile attacks, most notably the zero-day exploitation of Microsoft Exchange Server flaws in 2021. Their operations are primarily focused on intelligence gathering and target a wide array of entities in North America, including government, technology, academic, legal, and professional services sectors. What sets Murky Panda apart is their ability to rapidly weaponize both new (zero-day) and existing (N-day) vulnerabilities, using them to achieve initial access to their targets.
Murky Panda’s methods for initial access are varied and opportunistic. They frequently exploit internet-facing appliances, demonstrating a preference for exploiting known security flaws in devices like Citrix NetScaler ADC (CVE-2023-3519) and Commvault (CVE-2025-3928). Once inside a network, they often deploy web shells, such as neo-reGeorg, to establish a foothold and maintain persistence. In some cases, the group uses compromised small office/home office (SOHO) devices in the targeted country as exit nodes. This tactic helps them evade detection by making their malicious traffic appear to originate from a trusted, domestic source, complicating forensic analysis and attribution efforts.
A particularly alarming aspect of Murky Panda’s latest tradecraft is its focus on abusing trusted relationships within cloud ecosystems. Instead of directly attacking a target, the group may compromise a third-party supplier or partner organization that has administrative access to the victim’s cloud environment. By exploiting zero-day vulnerabilities in a SaaS provider’s cloud, they can then perform lateral movement to gain access to downstream victims. In one documented case, Murky Panda breached a supplier to a North American entity, using the supplier’s administrative privileges to create a temporary backdoor account in the victim’s Entra ID tenant. This allowed them to compromise pre-existing service principles to access sensitive data, such as emails.
To facilitate their espionage, Murky Panda leverages a custom remote access tool (RAT) called CloudedHope. This 64-bit ELF binary is written in Golang, a programming language increasingly favored by malware developers for its cross-platform capabilities. CloudedHope isn’t just a simple RAT; it incorporates advanced anti-analysis and operational security (OPSEC) measures. For example, it can modify file timestamps and delete indicators of its presence to avoid detection by security tools and hinder the efforts of incident responders. This high level of OPSEC ensures that the group can remain stealthy and persistent in their victim’s networks, prolonging their intelligence-gathering operations.
The activities of Murky Panda underscore a critical and evolving threat to modern enterprises. Organizations must move beyond traditional perimeter defenses and secure their entire digital supply chain, including their relationships with third-party vendors and cloud service providers. The shift in tactics from exploiting internet-facing appliances to abusing cloud trust relationships means that businesses need to re-evaluate their security posture. Stronger identity and access management controls, regular auditing of third-party cloud access, and continuous monitoring for unusual activity are essential. This proactive approach is vital to defend against sophisticated adversaries like Murky Panda, who are constantly adapting their methods to bypass security measures and achieve their intelligence-driven objectives.
Reference:
