Full Report
A Chinese state-sponsored hacking group known as Murky Panda (Silk Typhoon) exploits trusted relationships in cloud environments to gain initial access to the networks and data of downstream customers. [...]
Analysis Summary
# Threat Actor: Murky Panda
## Attribution & Identity
**Identification:** Chinese state-sponsored hacking group.
**Aliases and Known Associations:** Silk Typhoon (Microsoft designation), Hafnium.
## Activity Summary
Murky Panda is known for conducting cyberespionage campaigns. Recent activities include:
* Exploiting trusted relationships in cloud environments (SaaS providers) to pivot into downstream customer networks.
* Compromising Microsoft cloud solution providers with Delegated Administrative Privileges (DAP) to gain Global Administrator rights across downstream tenants.
* Attacks linked to the wave of Microsoft Exchange breaches in 2021 utilizing the ProxyLogon vulnerability.
* Recent targeting of the U.S. Treasury's Office of Foreign Assets Control (OFAC) and the Committee on Foreign Investment.
* Actively targeting IT supply chains, remote management tools, and cloud services since March 2025, as reported by Microsoft.
* Abusing cloud provider trust models (e.g., application registration secrets in Entra ID) to gain access to customer emails and sensitive data.
## Tactics, Techniques & Procedures
- Exploiting vulnerabilities for initial access, including CVE-2023-3519 (Citrix NetScaler), ProxyLogin in Microsoft Exchange, and CVE-2025-0282 (Ivanti Pulse Connect VPN).
- Gaining initial access via compromised internet-exposed devices and services.
- **Supply Chain Compromise:** Specifically targeting cloud service providers to leverage built-in administrative access to customer environments.
- **Persistence & Evasion:** Deploying the Neo-reGeorg open-source web shell and China Chopper web shells.
- Using a custom Linux-based Remote Access Trojan (RAT) named CloudedHope.
- Strong Operational Security (OPSEC): Modifying timestamps and deleting logs to hinder forensics.
- Using compromised Small Office/Home Office (SOHO) devices as proxy servers to blend malicious traffic with local infrastructure activity.
- Escalating privileges in customer environments, including creating backdoor accounts after gaining control of cloud provider tenancies.
## Targeting
- **Sectors:** Government, technology, academic, legal, and professional services organizations.
- **Geography:** North America.
- **Victims:** Downstream customers of compromised cloud service providers; U.S. Treasury's Office of Foreign Assets Control (OFAC); Committee on Foreign Investment.
## Tools & Infrastructure
- **Malware Families:** CloudedHope (custom Linux RAT), Neo-reGeorg (web shell), China Chopper (web shell).
- **Infrastructure:** Compromised SOHO devices used as proxy servers for obfuscation.
## Implications
Murky Panda is a sophisticated, state-sponsored adversary capable of rapidly weaponizing zero-day and n-day vulnerabilities. Their heavy reliance on exploiting trusted relationships within cloud ecosystems presents a significant, often less-monitored, initial access vector. This capability allows them to achieve deep, stealthy access into numerous downstream high-value targets simultaneously via a single compromise of a cloud provider.
## Mitigations
- Promptly patch cloud-facing infrastructure against known n-day vulnerabilities.
- Monitor Entra ID logs aggressively for unusual service principal sign-ins.
- Enforce Multi-Factor Authentication (MFA) for all cloud provider accounts.
- Implement strict monitoring for privilege escalation and backdoor account creation within cloud tenancies, especially following a supply chain compromise.