CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Chinese APTs Murky Panda, Genesis Panda, and Glacial Panda escalate cloud and telecom espionage

First reported
Last updated
πŸ“° 3 unique sources, 3 articles

Summary

Hide β–²

Murky Panda, also known as Silk Typhoon, Genesis Panda, and Glacial Panda, three China-nexus cyber espionage groups, have escalated their activities targeting cloud and telecom sectors. Murky Panda exploits trusted cloud relationships and zero-day vulnerabilities to breach enterprise networks. Genesis Panda targets cloud service providers to expand access and establish persistence. Glacial Panda targets telecommunications organizations to exfiltrate call detail records and related communications telemetry. The groups leverage various TTPs, including exploiting internet-facing appliances, known vulnerabilities, and living-off-the-land techniques. Their operations are driven by intelligence gathering and maintaining stealth and persistence. Murky Panda has been observed exploiting the CVE-2025-0282 vulnerability in Ivanti Pulse Connect VPN, zero-day vulnerabilities in SaaS providers' cloud environments, and delegated administrative privileges (DAP) in Microsoft cloud solution providers to gain Global Administrator rights across all downstream tenants. The group uses compromised SOHO devices as proxy servers to blend malicious traffic with normal traffic and deploys web shells like Neo-reGeorg and China Chopper to establish persistence.

Timeline

  1. 22.08.2025 14:06 πŸ“° 3 articles Β· ⏱ 25d ago

    Murky Panda exploits trusted cloud relationships and zero-day vulnerabilities

    Murky Panda has been observed abusing trusted cloud relationships to breach enterprise networks. The group exploits zero-day vulnerabilities in SaaS providers' cloud environments to conduct lateral movement. In late 2024, Murky Panda compromised a supplier of a North American entity and used the supplier's administrative access to add a temporary backdoor Entra ID account, backdooring several preexisting Entra ID service principles related to Active Directory management and emails. Since 2023, Murky Panda has targeted high-profile organizations in government, technology, academic, legal, and professional services across North America. The group exploits cloud-based software and service providers to spy on its intended targets. Murky Panda compromises exposed SOHO devices and deploys web shells to establish persistence. The group exploits CVE-2023-3519 in Citrix NetScaler ADC and NetScaler Gateway for unauthenticated remote code execution. Murky Panda gains access to SaaS providers' application registration secrets to authenticate as the app in customer cloud accounts. The group compromises a Microsoft cloud solution provider, gaining global administrator privileges over customers' Entra ID tenants. Murky Panda uses CloudedHope, a custom malware family written in Golang, for information stealing and anti-analysis measures. Murky Panda exploits the CVE-2025-0282 vulnerability in Ivanti Pulse Connect VPN. The group exploits zero-day vulnerabilities to break into a SaaS provider's cloud environment and access the provider's application registration secret in Entra ID. Murky Panda compromises a Microsoft cloud solution provider with delegated administrative privileges (DAP) to gain Global Administrator rights across all downstream tenants. The group uses compromised SOHO devices as proxy servers to blend malicious traffic with normal traffic and deploys web shells like Neo-reGeorg and China Chopper to establish persistence. Murky Panda modifies timestamps and deletes logs to hinder forensic analysis, demonstrating strong operational security (OPSEC).

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

APT36 leverages Linux .desktop files for malware deployment in ongoing espionage campaign

APT36, a Pakistani threat actor also known as Transparent Tribe, is exploiting Linux .desktop files to install malware in attacks targeting government and defense entities in India. The campaign, active since August 1, 2025, aims at data exfiltration and maintaining persistent access. The attacks use phishing emails to deliver ZIP archives containing malicious .desktop files disguised as PDFs. The malware, a Go-based ELF executable, establishes persistence and communicates via a WebSocket channel for command and control. The campaign also targets Windows and BOSS Linux systems, using decoy PDFs and anti-debugging techniques to evade detection.

Open in new tab

Shamos Infostealer Malware Targeting macOS Through ClickFix Attacks

A new infostealer malware, Shamos, is targeting macOS devices through ClickFix attacks. Developed by the COOKIE SPIDER group, Shamos steals data and credentials from browsers, Keychain, Apple Notes, and cryptocurrency wallets. The malware has attempted infections in over 300 monitored environments worldwide since June 2025. Victims are lured via malvertising or fake GitHub repositories that prompt them to execute malicious shell commands in the macOS Terminal. Once executed, Shamos performs anti-VM checks, host reconnaissance, and data collection. It then packages the stolen data into an archive and transmits it to the attackers. The malware can also download additional payloads and ensure persistence via a Plist file.

Open in new tab

Threat Actors Exploit VPS Infrastructure for SaaS Account Compromises

Threat actors, including the China-linked APT41 group, are exploiting commercial virtual private server (VPS) infrastructure to quickly and stealthily set up attack infrastructure. This tactic has been observed in coordinated SaaS account compromises across multiple customer environments and in targeted cyber espionage campaigns against U.S. trade officials. The abuse of VPS services allows attackers to bypass geolocation-based defenses, evade IP reputation checks, and blend into legitimate behavior. The attacks involved brute-force attempts, anomalous logins, phishing campaign-related inbox rule creation, and impersonation tactics. In notable incidents, attackers successfully compromised accounts by exploiting VPS services from providers such as Hyonix, Host Universal, Mevspace, and Hivelocity. The attackers deleted phishing emails and created obfuscated email rules to conceal their activities. The use of VPS infrastructure enables attackers to rapidly deploy infrastructure, making it difficult for defenders to track and respond to threats. The impersonation of U.S. Rep. John Moolenaar was part of a larger espionage campaign targeting U.S. trade officials. The campaign involved spear-phishing attacks impersonating a U.S. Congressman to gain unauthorized access to systems and sensitive information. The attacks exploited developer tools to create hidden pathways and siphon data to attacker-controlled servers.

Open in new tab

UNC5518 Access-as-a-Service Scheme Deploys CORNFLAKE.V3 Backdoor

UNC5518, a threat actor tracked by Mandiant, has been deploying the CORNFLAKE.V3 backdoor via the ClickFix social engineering tactic and fake CAPTCHA pages. This access-as-a-service scheme provides initial access to systems, which is then monetized by other threat groups, including UNC5774 and UNC4108. The backdoor supports multiple payload types and uses Cloudflare tunnels to evade detection. The attack chain begins with users interacting with compromised search results or malicious ads, leading them to fake CAPTCHA pages. Users are then tricked into executing a malicious PowerShell script, which downloads and executes CORNFLAKE.V3. The backdoor collects system information and can execute various payloads, including additional backdoors and credential-harvesting scripts. The CORNFLAKE.V3 backdoor is an updated version of CORNFLAKE.V2, featuring enhanced capabilities such as host persistence and support for additional payload types. The scheme has been observed since at least 2024, with multiple threat actors leveraging the initial access provided by UNC5518.

Open in new tab

Multistage social engineering attacks targeting help desk teams

Threat actors are executing multistage, high-touch social engineering campaigns targeting help desk teams. These attacks exploit human instincts and familiarity to bypass traditional perimeter controls and gain network access. The primary goal is to manipulate help desk personnel into resetting passwords or overriding multifactor authentication (MFA) for privileged accounts. The FBI has issued alerts about groups like Scattered Spider, highlighting the increasing prevalence of these attacks. Organizations must rethink their help desk operations, including request validation processes and the culture that shapes real-time decisions. Training alone is insufficient; organizations need to implement robust protocols and foster a security-first culture.

Open in new tab