CFOtech UK - Technology news for CFOs & financial decision-makers
United Kingdom

Guides

#
artificial intelligence
#
data analytics
#
digital transformation
#
fintech
#
health technologies

Search

Cyberespionage shadowy figures accessing cloud data north america china
#
SaaS
#
Cloud Security
#
Advanced Persistent Threat Protection

China-nexus hackers exploit cloud trust links in high-profile cyberespionage

Yesterday
Author image
By Melania Watson, Interview Editor

CrowdStrike has published research on MURKY PANDA, a China-nexus cyber adversary targeting government, technology, academic, legal, and professional services organisations in North America.

CrowdStrike Counter Adversary Operations and CrowdStrike Services have investigated multiple cases of MURKY PANDA activity since 2023, tracking its use of complex methods to carry out cyberespionage and data exfiltration against high-profile targets.

MURKY PANDA demonstrates significant expertise in compromising trusted relationships within cloud environments, and shows a capacity for exploiting vulnerabilities at speed, particularly targeting internet-facing appliances and custom applications as means of lateral movement.

Advanced cloud-focused techniques

MURKY PANDA leverages advanced tradecraft within cloud environments and has been observed moving laterally between organisations by abusing trusted relationships.

The threat group often exploits weaknesses in identity management platforms such as Entra ID, including software-as-a-service (SaaS) provider integrations, to expand its access and maintain persistence in cloud systems.

CrowdStrike revealed, "MURKY PANDA heavily relies on exploiting internet-facing appliances to gain initial access and has frequently deployed web shells - including the Neo-reGeorg web shell frequently used by China-nexus adversaries - to establish persistence. The adversary also has access to the low-prevalence custom malware family CloudedHope."

The group's malware arsenal includes CloudedHope, a statically linked 64-bit ELF executable built in Golang and designed for Linux-based targets.

CloudedHope incorporates anti-analysis and operational security features, such as obfuscation, checksum-based environment validation, and decoy actions if compromised. MURKY PANDA has rapidly weaponised both n-day and zero-day vulnerabilities, with recent targets including Citrix NetScaler ADC (CVE-2023-3519) and a Commvault vulnerability (CVE-2025-3928).

Exfiltration and intelligence gathering

MURKY PANDA's operations are thought to be intelligence-driven, seeking access to sensitive information held by targeted entities.

The group has previously exfiltrated emails and confidential documents from high-profile organisations.

CrowdStrike notes, "MURKY PANDA operations are likely driven by intelligence-collection objectives to gain access to sensitive information. The adversary has previously exfiltrated emails and other sensitive documents from high-profile targets."

The threat actor uses a variety of tactics to remain undetected, including modifying timestamps, deleting traces of its activity, and employing compromised small office/home office (SOHO) devices as operational exit nodes to make malicious traffic appear legitimate.

Compromising trusted relationships in the cloud

One significant technique used by MURKY PANDA involves exploiting cloud-based trusted relationships to enable persistent and covert access to downstream victims. This vector, according to CrowdStrike, remains less monitored compared to more established entry methods such as exploiting public-facing applications or compromised cloud accounts.

MURKY PANDA is currently one of a few tracked adversaries that conduct trusted-relationship compromises in the cloud. Due to the activity's rarity, this initial access vector to a victim's cloud environment remains relatively undermonitored compared to more prominent initial access vectors such as valid cloud accounts and exploiting public-facing applications. Leveraging this niche initial access vector, MURKY PANDA likely intends for their access to downstream victims to remain undetected, enabling prolonged access.

In two documented cases, MURKY PANDA exploited zero-day vulnerabilities affecting SaaS providers, subsequently leveraging privileged application credentials to penetrate the environments of downstream customers. In one case involving Entra ID, the group accessed an application registration secret, enabling them to impersonate service principals linked to downstream clients and extract emails and data.

Further, CrowdStrike detailed a compromise of a Microsoft cloud solution provider, where MURKY PANDA, after gaining access to a Global Administrator account, created a backdoor user with broad privileges. By controlling these privileged accounts, the group elevated its access, persisted within the victim's system, and accessed sensitive data including emails.

Operational security and detection evasion

The group displays strong operational security, sanitising logs and deleting artefacts to frustrate attribution and incident response efforts. This high OPSEC standard complicates detection, investigation, and the ability to link activity to MURKY PANDA.

Similar to other China-nexus groups, MURKY PANDA uses compromised SOHO devices within targeted countries as operational exit points, masking malicious activity to resemble legitimate domestic network traffic.

Sector impact and recommendations

MURKY PANDA poses a significant threat to government, technology, legal, and professional services organisations in North America and their suppliers with access to sensitive data.

CrowdStrike's research states, "Organisations that rely heavily on cloud environments are innately vulnerable to trusted-relationship compromises in the cloud. China-nexus adversaries such as MURKY PANDA continue to leverage sophisticated tradecraft to facilitate their espionage operations, targeting numerous sectors globally."

CrowdStrike recommended that organisations implement strict Entra ID credential and activity monitoring, audit service principal activities for anomalies, and maintain vigilance over new user additions to cloud environments. Further advice includes regular patching of all cloud environment software, close monitoring of suspicious device logon behaviours, and reviewing privileges associated with trusted cloud solution providers.

These findings highlight the growing attention of advanced threat groups towards vulnerabilities in cloud computing ecosystems, urging organisations to strengthen identity management and cloud security mechanisms.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Financial firms face 25% surge in advanced cyberattacks in 2024
AI adoption surges among non-graduate workers in global south
Exclusive: CIO says AI breaks the cycle of forced ERP upgrades
Exclusive: Cloudera bets on AI and hybrid cloud as demand shifts
NexGen Cloud launches OpenAI gpt-oss in UK & Europe for GDPR

Top stories

UK banks frustrated by cloudwashing in core banking adoption
AccountsIQ integrates non-financial KPIs for unified reporting
Certes warns UK executives face liability as data breach risks rise
Generative AI transforms Women's Rugby World Cup broadcasts
Financial sector faces 25% jump in cyberattacks, led by phishing