Murky Panda Abuses Trusted-Relationship in Cloud Attacks and Zero-Day Exploits for Espionage

Murky Panda (also tracked as Silk Typhoon) has been active since at least 2023, with CrowdStrike reporting a surge in activity beginning in late 2024. The group is assessed as China-nexus and has pursued “high-profile targets” across North America, with victim sectors including government, education, legal, professional services, and technology. The adversary is motivated by intelligence collection, with operations centered on the exfiltration of sensitive emails and documents from compromised environments. CrowdStrike warns that “The adversary has leveraged trusted-relationship compromises in the cloud and demonstrated a high level of operations security (OPSEC), including modifying timestamps and deleting indicators of their presence in victim environments to avoid detection and hinder attribution efforts.” Beyond traditional tradecraft, Murky Panda’s activity extends to exploiting zero-days and leveraging cloud access, increasing the severity of their campaigns.

Murky Panda commonly gains initial access through internet-facing appliances, with CrowdStrike attributing the exploitation of CVE-2023-3519 in Citrix to the group. Post-compromise, the adversary deploys web shells such as “Neo-reGeorg” to establish persistence and facilitate command execution. A custom malware dubbed “CloudedHope” has also been linked to the group; the malware, developed in Golang and designed for Linux systems, provides remote access functionality while incorporating anti-analysis measures. According to CrowdStrike, “MURKY PANDA has likely used compromised SOHO devices geolocated in a given targeted country as their operations’ final exit nodes,” making malicious traffic appear local to victims. Once inside, Murky Panda has employed web shells, “CloudedHope,” and remote desktop protocol (RDP) sessions to support lateral movement.

The adversary’s operations in cloud environments are especially concerning, as CrowdStrike emphasizes that “Due to the activity’s rarity, this initial access vector to a victim's cloud environment remains relatively undermonitored compared to more prominent initial access vectors such as valid cloud accounts and exploiting public-facing applications.” Murky Panda has exploited zero-day vulnerabilities in SaaS applications on at least two occasions, using these compromises to move laterally into downstream customer environments. One intrusion involved the theft of application registration secrets, which the adversary leveraged to authenticate as service principals and gain access to victim data, including emails. In another case, exploitation of a cloud solution provider’s delegated administrative privileges (DAP) enabled Murky Panda to create new accounts, assign them to privileged groups, and insert additional secrets into service principals. These actions provided persistence and broadened access across multiple tenants, showing the group’s ability to abuse trusted cloud relationships.

CrowdStrike’s hunting recommendations emphasize the need to monitor activity patterns consistent with Murky Panda’s tactics. Potential indicators include inconsistent application access, abnormal sign-ins from unusual networks, and deviations in service principal activity from expected behavior. The combination of strong OPSEC measures, zero-day exploitation, and cloud-focused intrusion techniques reflects Murky Panda’s capability to maintain access and exfiltrate valuable intelligence. Their ongoing operations remain a significant threat to organizations in targeted sectors, particularly those with extensive reliance on cloud infrastructure.