Cybersecurity researchers have raised alarms over increasing cyber-espionage activity linked to China-based threat groups. Among them, Murky Panda, Genesis Panda, and Glacial Panda have been spotlighted for aggressively targeting cloud infrastructures and telecommunications networks to harvest sensitive intelligence.
Murky Panda Exploiting Cloud Relationships
A recent CrowdStrike report highlights that Murky Panda, also known as Silk Typhoon (formerly Hafnium), has been abusing trusted cloud relationships to infiltrate enterprise networks. The group is notorious for exploiting both N-day and zero-day vulnerabilities, often gaining initial access through internet-facing devices.
This threat actor first gained widespread attention during the 2021 Microsoft Exchange Server zero-day attacks. Since then, it has targeted government, technology, academic, legal, and professional service sectors in North America.
In March 2024, Microsoft noted Murky Panda’s shift toward supply chain compromises, using IT providers as gateways into larger corporate networks. The group has also exploited appliances like Citrix NetScaler ADC/Gateway (CVE-2023-3519) and Commvault (CVE-2025-3928) to drop web shells such as neo-reGeorg and deploy its custom CloudedHope malware.
CloudedHope (a 64-bit Golang-based RAT) enables persistence, anti-analysis features, and stealth operations by erasing traces of compromise. Notably, Murky Panda abuses cloud tenant trust between organizations to expand laterally. In one case, it compromised a supplier to gain administrative access to a North American company’s Entra ID tenant, installing a backdoor account and tampering with Active Directory-linked service principles to steal email data.
Genesis Panda’s Cloud-Focused Espionage
Another Chinese group, Genesis Panda, has demonstrated expertise in exploiting cloud services. Active since at least January 2024, it targets financial services, telecommunications, technology, and media sectors across 11 countries.
The group is suspected of acting as an initial access broker, exploiting web-facing vulnerabilities while conducting limited data theft. According to CrowdStrike, Genesis Panda has consistently shown interest in cloud-hosted systems, frequently querying the Instance Metadata Service (IMDS) to extract credentials and expand control across virtual machines and cloud accounts.
This tactic allows them to perform lateral movement, persistence, and reconnaissance, ensuring long-term access for intelligence collection.
Glacial Panda Expands into Telecom Espionage
CrowdStrike also reported a 130% surge in cyber espionage against the telecommunications sector, much of it attributed to Glacial Panda. This group’s operations cover regions including Afghanistan, India, Japan, Kenya, Mexico, Panama, the Philippines, Taiwan, Thailand, Hong Kong, Malaysia, and the United States.
Glacial Panda primarily targets Linux-based telecom systems, often exploiting outdated servers with weak passwords or known vulnerabilities. They also leverage privilege escalation exploits like Dirty COW (CVE-2016-5195) and PwnKit (CVE-2021-4034) to gain deeper access.
Once inside, the group deploys trojanized OpenSSH binaries under the codename ShieldSlide. These backdoored components allow the theft of authentication sessions and enable covert root-level access using hardcoded credentials.
Key Takeaway
The activities of Murky, Genesis, and Glacial Panda underscore a growing Chinese cyber focus on cloud infrastructures and telecom networks, with a clear intent to gain long-term, stealthy access for intelligence collection. Organizations must prioritize patching known vulnerabilities, monitoring cloud tenant trust relationships, and strengthening authentication security to counter these threats.
