Recent analyses by cybersecurity experts have unveiled a surge in malicious activities orchestrated by Chinese cyber espionage groups, notably Murky Panda, Genesis Panda, and Glacial Panda. These groups are exploiting vulnerabilities in cloud infrastructures and telecommunications networks to infiltrate enterprise systems and exfiltrate sensitive data.
Murky Panda’s Advanced Tactics
Murky Panda, also known as Silk Typhoon (formerly Hafnium), has demonstrated a sophisticated ability to rapidly weaponize both N-day and zero-day vulnerabilities. The group frequently gains initial access by exploiting internet-facing appliances, targeting sectors such as government, technology, academia, legal, and professional services in North America.
In March 2025, Microsoft highlighted Murky Panda’s strategic shift towards compromising the information technology (IT) supply chain to gain initial access to corporate networks. This approach underscores the group’s focus on intelligence gathering.
Murky Panda employs various methods to achieve initial access, including:
– Exploiting Internet-Facing Appliances: The group targets vulnerabilities in devices exposed to the internet.
– Compromising SOHO Devices: By infiltrating small office/home office devices located within the target country, Murky Panda establishes exit nodes to evade detection.
– Leveraging Known Vulnerabilities: The group exploits security flaws in systems like Citrix NetScaler ADC and NetScaler Gateway (CVE-2023-3519) and Commvault (CVE-2025-3928).
Upon gaining access, Murky Panda deploys web shells such as neo-reGeorg to maintain persistence and introduces custom malware like CloudedHope. CloudedHope, a 64-bit ELF binary written in Golang, functions as a remote access tool (RAT) with anti-analysis and operational security (OPSEC) features, including timestamp modifications and deletion of indicators to remain undetected.
A notable aspect of Murky Panda’s operations is the exploitation of trusted relationships between partner organizations and their cloud tenants. By leveraging zero-day vulnerabilities, the group breaches software-as-a-service (SaaS) providers’ cloud environments, facilitating lateral movement to downstream victims.
In late 2024, Murky Panda compromised a supplier of a North American entity. Utilizing the supplier’s administrative access to the victim’s Entra ID tenant, the group added a temporary backdoor Entra ID account. This account was then used to backdoor several existing Entra ID service principles related to Active Directory management and emails, indicating a targeted focus on accessing email communications.
Genesis Panda’s Cloud Exploitation
Genesis Panda, active since at least January 2024, has exhibited proficiency in manipulating cloud services for data exfiltration and expanding access. The group targets cloud service provider (CSP) accounts to establish persistent mechanisms and has been linked to high-volume operations against the financial services, media, telecommunications, and technology sectors across 11 countries. The primary objective appears to be enabling future intelligence collection activities.
The group’s potential role as an initial access broker is suggested by its exploitation of a wide range of web-facing vulnerabilities and limited data exfiltration. Genesis Panda consistently queries the Instance Metadata Service (IMDS) associated with cloud-hosted servers to obtain credentials for the cloud control plane and to enumerate network and instance configurations. Additionally, the group uses credentials, likely obtained from compromised virtual machines (VMs), to deepen access into the target’s cloud account.
These findings highlight the increasing adeptness of Chinese hacking groups in breaching and navigating cloud environments, emphasizing stealth and persistence to ensure sustained access and covert data harvesting.
Glacial Panda’s Focus on Telecommunications
The telecommunications sector has experienced a 130% increase in nation-state activity over the past year, with Chinese threat actor Glacial Panda emerging as a significant player. The group’s operations span countries including Afghanistan, Hong Kong, India, Japan, Kenya, Malaysia, Mexico, Panama, the Philippines, Taiwan, Thailand, and the United States.
Glacial Panda is believed to conduct targeted intrusions for intelligence collection, accessing and exfiltrating call detail records and related communications telemetry from multiple telecommunications organizations. The group primarily targets Linux systems prevalent in the telecommunications industry, including legacy operating system distributions supporting older telecommunications technologies.
The group’s attack chains involve exploiting known security vulnerabilities or weak passwords on internet-facing and unmanaged servers. Subsequent activities include leveraging privilege escalation bugs like CVE-2016-5195 (Dirty COW) and CVE-2021-4034 (PwnKit). In addition to using living-off-the-land (LotL) techniques, Glacial Panda’s intrusions facilitate the deployment of trojanized OpenSSH components, collectively codenamed ShieldSlide, to gather user authentication sessions and credentials.
The trojanized SSH server binary within ShieldSlide also provides backdoor access, allowing authentication of any account, including root, when a hardcoded password is entered.
Conclusion
The activities of Murky Panda, Genesis Panda, and Glacial Panda underscore the evolving tactics of Chinese cyber espionage groups. Their focus on cloud infrastructures and telecommunications networks highlights the need for robust cybersecurity measures, including regular vulnerability assessments, stringent access controls, and continuous monitoring to detect and mitigate such sophisticated threats.
