A Chinese state-sponsored hacking group known as Murky Panda (Silk Typhoon) exploits trusted relationships in cloud environments to gain initial access to the networks and data of downstream customers.

Murky Panda, also known as Silk Typhoon (Microsoft) and Hafnium, is known for targeting government, technology, academic, legal, and professional services organizations in North America.

The hacking group, under its numerous names, has been linked to numerous cyberespionage campaigns, including the wave of Microsoft Exchange breaches in 2021 that utilized the ProxyLogon vulnerability. More recent attacks, include those on the U.S. Treasury’s Office of Foreign Assets Control (OFAC) and the Committee on Foreign Investment.

In March, Microsoft reported that Silk Typhoon had begun targeting remote management tools and cloud services in supply chain attacks to gain access to downstream customers’ networks.

Exploiting trusted cloud relationships

Murky Panda commonly gains initial access to corporate networks by exploiting internet-exposed devices and services, such as the CVE-2023-3519 flaw in Citrix NetScaler devices, ProxyLogin in Microsoft Exchange, and CVE-2025-0282 in Ivanti Pulse Connect VPN.

However, a new report by CrowdStrike demonstrates how the threat actors are also known to compromise cloud service providers to abuse the trust these companies have with their customers.

Because cloud providers are sometimes granted built-in administrative access to customer environments, attackers who compromise them can abuse this trust to pivot directly into downstream networks and data.

In one case, the hackers exploited zero-day vulnerabilities to break into a SaaS provider’s cloud environment. They then gained access to the provider’s application registration secret in Entra ID, which allowed them to authenticate as a service and log into downstream customer environments. Using this access, they were able to read customers’ emails and steal sensitive data.

In another attack, Murky Panda compromised a Microsoft cloud solution provider with delegated administrative privileges (DAP). By compromising an account in the Admin Agent group, the attackers gained Global Administrator rights across all downstream tenants. They then created backdoor accounts in customer environments and escalated privileges, enabling persistence and the ability to access email and application data.

CrowdStrike highlights that breaches via trusted-relationships are rare, they are less monitored than more common vectors such as credential theft. By exploiting these trust models, Murky Panda can more easily blend in with legitimate traffic and activity to maintain stealthy access for long periods.

In addition to their cloud-focused intrusions, Murky Panda also uses a variety of tools and custom malware to maintain access and evade detection.

The attackers commonly deploy the Neo-reGeorg open-source web shell and the China Chopper web shells, both widely associated with Chinese espionage actors, to establish persistence on compromised servers.

The group also has access to a custom Linux-based remote access trojan (RAT) called CloudedHope, which allows them to take control of infected devices and spread further in the network. 

Murky Panda also demonstrates strong operational security (OPSEC), including modifying timestamps and deleting logs to hinder forensic analysis.

The group is also known to use compromised small office and home office (SOHO) devices as proxy servers, allowing them to conduct attacks as if they were within a targeted country’s infrastructure. This allows their malicious traffic to blend in with normal traffic and evade detection.

Significant espionage threat

CrowdStrike warns that Murky Panda/Silk Typhoon is a sophisticated adversary with advanced skills and the ability to rapidly weaponize both zero-day and n-day vulnerabilities.

Their abuse of trusted cloud relationships poses a significant risk to organizations that utilize SaaS and cloud providers.

To defend against Murky Panda attacks, CrowdStrike recommends that organizations monitor for unusual Entra ID service principal sign-ins, enforce multi-factor authentication for cloud provider accounts, monitor Entra ID logs, and patch cloud-facing infrastructure promptly.

“MURKY PANDA poses a significant threat to government, technology, legal, and professional services entities in North America and to their suppliers with access to sensitive information,” concludes CrowdStrike.

“Organizations that rely heavily on cloud environments are innately vulnerable to trusted-relationship compromises in the cloud. China-nexus adversaries such as MURKY PANDA continue to leverage sophisticated tradecraft to facilitate their espionage operations, targeting numerous sectors globally.”