A China-linked advanced threat actor, tracked as MURKY PANDA, has become a major concern in global cybersecurity. Since late 2024, the group has been actively targeting government agencies, legal firms, professional services, technology providers, and academic institutions across North America.
Advanced Capabilities in Cyber Operations
MURKY PANDA is recognized for its ability to exploit cloud platforms and trusted-relationship environments, marking a new stage in state-sponsored cyber operations. The group has been observed rapidly weaponizing zero-day and n-day vulnerabilities, often gaining entry through internet-facing devices.
Once inside, the attackers conduct intelligence-gathering campaigns, including email theft, document exfiltration, and persistent surveillance of high-profile organizations.
CrowdStrike Insights on Tradecraft
Researchers at CrowdStrike highlighted MURKY PANDA’s cloud-focused strategies and advanced operational security measures. The group is known to modify timestamps, erase digital evidence, and remove compromise indicators to evade detection and complicate attribution.
Industry experts also link MURKY PANDA’s activity to a broader wave of China-nexus intrusions tracked under the codename Silk Typhoon.
Tools and Malware Used
The threat actor employs web shells such as Neo-reGeorg and operates a rare malware family called CloudedHope, giving them stealthy persistence.
In addition, MURKY PANDA uses compromised SOHO (small office/home office) routers and devices as part of its attack infrastructure, mirroring tactics seen with other groups like VANGUARD PANDA.
Cloud Exploitation and Trusted-Relationship Attacks
One of MURKY PANDA’s most dangerous techniques involves exploiting trusted relationships inside cloud environments.
- The group has compromised SaaS providers by leveraging zero-day flaws.
- Stolen application registration secrets were then used to access Entra ID-based customer accounts.
- By authenticating as service principals, the attackers infiltrated downstream networks, accessing emails, sensitive documents, and administrative data.
MURKY PANDA also targeted Microsoft cloud solution providers, exploiting delegated admin privileges to escalate to Global Administrator roles across customer tenants. To maintain persistence, the attackers created new accounts and modified service principal configurations.
A Serious Escalation in State-Sponsored Threats
The operations of MURKY PANDA highlight the growing sophistication of Chinese cyber espionage efforts. Their focus on cloud architecture, SaaS environments, and identity systems makes them particularly dangerous, as these attack paths are still under-monitored in many organizations.
