In recent months, cybersecurity researchers have drawn attention to China-linked espionage groups exploiting trusted relationships in the cloud to infiltrate enterprise networks. One of the most notable among them is Murky Panda (also known as Silk Typhoon, formerly Hafnium).

Murky Panda’s Sophisticated Playbook

Murky Panda is infamous for exploiting zero-day and n-day vulnerabilities, with a history of high-profile attacks such as the 2021 Microsoft Exchange Server compromise. Its targets span government, legal, academic, technology, and professional services organizations across North America.

What makes Murky Panda especially dangerous is its ability to weaponize cloud trust relationships. Instead of only breaching a single organization, it often compromises partners, suppliers, and SaaS providers to move laterally into downstream victims’ environments.

The group frequently:

• Exploits internet-facing appliances like Citrix NetScaler and Commvault vulnerabilities.
• Deploys web shells such as Neo-reGeorg to maintain persistence.
• Uses custom malware like CloudedHope, a Golang-based RAT designed to evade detection and wipe traces of its activity.
• Abuses Entra ID (Azure AD) by backdooring service principals and creating stealthy admin accounts.

The objective? Stealthy intelligence collection, particularly email data and sensitive communications.

Beyond Murky Panda: A Growing Trend

Other groups are following suit:

• Genesis Panda: Active since 2024, this actor focuses on financial services, telecom, media, and technology, using compromised credentials and cloud metadata services to gain persistence.
• Glacial Panda: Recently observed in telecom intrusions, exploiting weak passwords, legacy Linux systems, and privilege escalation flaws like Dirty COW and PwnKit to harvest call detail records and communications data.

Together, these campaigns highlight a sharp increase in nation-state cyber activity, especially against organizations rich in data and reliant on cloud ecosystems.

What This Means for Businesses

As cloud adoption grows, trusted-relationship attacks are becoming a major blind spot. Compromising a supplier, cloud service provider, or software vendor can give adversaries direct access to your environment, bypassing even strong frontline defenses.

That’s why businesses must adopt proactive cybersecurity strategies that address:

• Password Security & Identity Management – Prevent unauthorized access to cloud tenants.
• Incident Response & Recovery – Rapid containment of breaches before damage escalates.
• Cybersecurity Solutions for Businesses & Individuals – Tailored protections for different risk levels.
• Security Audits & Vulnerability Assessments – Identifying weaknesses before attackers do.
• Managed Security Services – Continuous monitoring for suspicious activity.
• Penetration Testing – Simulating real-world intrusions to test resilience.
• Compliance & Regulatory Services – Ensuring adherence to frameworks like ISO, NDPR, and NIST.
• Cybersecurity Recruitment & Training – Building strong in-house expertise via our Cyber Protection Academy.
  

How to Stay Protected

Organizations should:

• Regularly patch vulnerabilities in internet-facing and cloud-hosted applications.
• Audit cloud accounts (like Entra ID service principals) for unusual activity.
• Enforce Multi-Factor Authentication (MFA) for cloud admins and third-party vendors.
• Monitor supply chain access (cloud solution providers, SaaS apps, partners).
• Invest in cyber threat intelligence to understand evolving tactics.

Murky Panda and similar adversaries represent a new frontier of cloud-based espionage. By abusing trusted relationships, they bypass traditional defenses and embed themselves deeply in digital ecosystems.

At CyberTech Nexus, we provide end-to-end cybersecurity services, from IT & Cybersecurity Consultancy to Incident Response, Managed Security, and Cyber Protection Training, to help organizations anticipate, prevent, and respond to such threats.