Murky Panda, Genesis Panda, and Glacial Panda Target Cloud and Telecom Sectors
Summary
Hide â˛
Show âŧ
Chinese cyber espionage groups Murky Panda, Genesis Panda, and Glacial Panda have escalated their activities targeting cloud and telecom sectors. Murky Panda exploits trusted cloud relationships and zero-day vulnerabilities to breach enterprise networks. They also compromise cloud service providers to gain access to downstream customer environments. Genesis Panda targets cloud services for lateral movement and persistence. Glacial Panda focuses on telecom organizations to exfiltrate call detail records and related telemetry. Murky Panda, also known as Silk Typhoon, has been active since at least 2021, targeting government, technology, academic, legal, and professional services entities in North America. They exploit internet-facing appliances, SOHO devices, and known vulnerabilities in Citrix and Commvault to gain initial access. They deploy web shells and custom malware like CloudedHope to maintain persistence. Genesis Panda, active since January 2024, targets financial services, media, telecommunications, and technology sectors across 11 countries. They exploit cloud-hosted systems for lateral movement and persistence, using compromised credentials to burrow deeper into cloud accounts. Glacial Panda has seen a 130% increase in activity targeting the telecom sector, focusing on Linux systems and legacy operating systems. They exploit known vulnerabilities and weak passwords to gain access and deploy trojanized OpenSSH components for credential harvesting.
Timeline
-
22.08.2025 14:06 đ° 2 articles
Murky Panda, Genesis Panda, and Glacial Panda Escalate Cloud and Telecom Espionage
Murky Panda, Genesis Panda, and Glacial Panda have escalated their activities targeting cloud and telecom sectors. Murky Panda exploits trusted cloud relationships and zero-day vulnerabilities to breach enterprise networks. Genesis Panda targets cloud services for lateral movement and persistence. Glacial Panda focuses on telecom organizations to exfiltrate call detail records and related telemetry. Murky Panda has been active since at least 2021, targeting government, technology, academic, legal, and professional services entities in North America. They exploit internet-facing appliances, SOHO devices, and known vulnerabilities in Citrix and Commvault to gain initial access. They deploy web shells and custom malware like CloudedHope to maintain persistence. In March, Microsoft reported that Silk Typhoon had begun targeting remote management tools and cloud services in supply chain attacks to gain access to downstream customers' networks. Murky Panda exploits zero-day vulnerabilities in SaaS providers to gain access to downstream customer environments. They compromise cloud service providers to gain access to downstream customer environments. They use compromised SOHO devices as proxy servers to blend in with normal traffic and evade detection. They demonstrate strong operational security, including modifying timestamps and deleting logs to hinder forensic analysis. Genesis Panda, active since January 2024, targets financial services, media, telecommunications, and technology sectors across 11 countries. They exploit cloud-hosted systems for lateral movement and persistence, using compromised credentials to burrow deeper into cloud accounts. Glacial Panda has seen a 130% increase in activity targeting the telecom sector, focusing on Linux systems and legacy operating systems. They exploit known vulnerabilities and weak passwords to gain access and deploy trojanized OpenSSH components for credential harvesting.
Show sources
- Chinese Hackers Murky, Genesis, and Glacial Panda Escalate Cloud and Telecom Espionage â thehackernews.com â 22.08.2025 14:06
- Murky Panda hackers exploit cloud trust to hack downstream customers â www.bleepingcomputer.com â 23.08.2025 00:56
Information Snippets
-
Murky Panda, also known as Silk Typhoon, targets government, technology, academic, legal, and professional services entities in North America.
First reported: 22.08.2025 14:06đ° 2 sources, 2 articlesShow sources
- Chinese Hackers Murky, Genesis, and Glacial Panda Escalate Cloud and Telecom Espionage â thehackernews.com â 22.08.2025 14:06
- Murky Panda hackers exploit cloud trust to hack downstream customers â www.bleepingcomputer.com â 23.08.2025 00:56
-
Murky Panda exploits internet-facing appliances, SOHO devices, and known vulnerabilities in Citrix NetScaler ADC and NetScaler Gateway (CVE-2023-3519) and Commvault (CVE-2025-3928) to gain initial access.
First reported: 22.08.2025 14:06đ° 2 sources, 2 articlesShow sources
- Chinese Hackers Murky, Genesis, and Glacial Panda Escalate Cloud and Telecom Espionage â thehackernews.com â 22.08.2025 14:06
- Murky Panda hackers exploit cloud trust to hack downstream customers â www.bleepingcomputer.com â 23.08.2025 00:56
-
Murky Panda deploys web shells like neo-reGeorg and custom malware called CloudedHope to establish persistence.
First reported: 22.08.2025 14:06đ° 2 sources, 2 articlesShow sources
- Chinese Hackers Murky, Genesis, and Glacial Panda Escalate Cloud and Telecom Espionage â thehackernews.com â 22.08.2025 14:06
- Murky Panda hackers exploit cloud trust to hack downstream customers â www.bleepingcomputer.com â 23.08.2025 00:56
-
Genesis Panda targets financial services, media, telecommunications, and technology sectors across 11 countries.
First reported: 22.08.2025 14:06đ° 1 source, 1 articleShow sources
- Chinese Hackers Murky, Genesis, and Glacial Panda Escalate Cloud and Telecom Espionage â thehackernews.com â 22.08.2025 14:06
-
Genesis Panda exploits cloud-hosted systems for lateral movement and persistence, using compromised credentials to burrow deeper into cloud accounts.
First reported: 22.08.2025 14:06đ° 1 source, 1 articleShow sources
- Chinese Hackers Murky, Genesis, and Glacial Panda Escalate Cloud and Telecom Espionage â thehackernews.com â 22.08.2025 14:06
-
Glacial Panda targets the telecom sector, focusing on Linux systems and legacy operating systems.
First reported: 22.08.2025 14:06đ° 1 source, 1 articleShow sources
- Chinese Hackers Murky, Genesis, and Glacial Panda Escalate Cloud and Telecom Espionage â thehackernews.com â 22.08.2025 14:06
-
Glacial Panda exploits known vulnerabilities and weak passwords to gain access and deploys trojanized OpenSSH components for credential harvesting.
First reported: 22.08.2025 14:06đ° 1 source, 1 articleShow sources
- Chinese Hackers Murky, Genesis, and Glacial Panda Escalate Cloud and Telecom Espionage â thehackernews.com â 22.08.2025 14:06
-
Glacial Panda's geographic footprint spans Afghanistan, Hong Kong, India, Japan, Kenya, Malaysia, Mexico, Panama, the Philippines, Taiwan, Thailand, and the United States.
First reported: 22.08.2025 14:06đ° 1 source, 1 articleShow sources
- Chinese Hackers Murky, Genesis, and Glacial Panda Escalate Cloud and Telecom Espionage â thehackernews.com â 22.08.2025 14:06
Similar Happenings
APT29 Watering Hole Campaign Targeting Microsoft Device Code Authentication
Amazon disrupted an APT29 watering hole campaign targeting Microsoft device code authentication. The campaign compromised websites to redirect visitors to malicious infrastructure, aiming to trick users into authorizing attacker-controlled devices. The operation leveraged various phishing methods and evasion techniques to harvest credentials and gather intelligence. APT29, a Russia-linked state-sponsored hacking group, used compromised websites to inject JavaScript that redirected visitors to actor-controlled domains mimicking Cloudflare verification pages. The campaign aimed to entice victims into entering a legitimate device code into a sign-in page, granting attackers access to Microsoft accounts and data. The activity involved Base64 encoding to conceal malicious code, setting cookies to prevent repeated redirects, and shifting to new infrastructure when blocked. Amazon's intervention led to the registration of additional domains by the actor, continuing the campaign's objectives. The campaign reflects an evolution in APT29's technical approach, no longer relying on domains that impersonate AWS or social engineering attempts to bypass multi-factor authentication (MFA).
Chinese State-Sponsored Actors Compromise Global Critical Infrastructure Networks
Chinese state-sponsored Advanced Persistent Threat (APT) actors, specifically the group known as Salt Typhoon, have been conducting a sustained campaign to gain long-term access to critical infrastructure networks worldwide. This campaign targets telecommunications, transportation, lodging, and military networks, exploiting vulnerabilities in routers and taking steps to evade detection and maintain persistent access. The Cybersecurity and Infrastructure Security Agency (CISA), in coordination with the National Security Agency (NSA), Federal Bureau of Investigation (FBI), and international partners, released a joint advisory detailing this ongoing malicious activity. The advisory provides actionable guidance and intelligence to help organizations defend against these sophisticated cyber threats. The advisory builds on previous reporting and incorporates updated threat intelligence from investigations conducted through August 2025, reflecting overlapping indicators with industry reporting on various Chinese state-sponsored threat groups. Salt Typhoon has been active since at least 2019, targeting at least 600 organizations, including 200 in the U.S., and 80 countries. The Czech Republic's National Cyber and Information Security Agency (NUKIB) issued a warning about data transfers to China, highlighting concerns over the transfer of system and user data to the PRC and the remote administration of technical assets. The Czech government previously accused China of targeting its critical infrastructure through APT 31, which began in 2022. China's offensive cyber activities include large-scale telco attacks by Salt Typhoon and positioning for potential destructive cyberattacks. The advisory tracks this cluster of activity to multiple advanced persistent threats (APTs), though it partially overlaps with Salt Typhoon. The advisory details how state-backed threat actors, including Salt Typhoon, penetrate networks around the world, as well as how defenders can protect their own environments. The Czech Republic's National Cyber and Information Security Agency (NUKIB) has assessed the risk of significant disruptions caused by China at a 'High' level, indicating a high probability of occurrence. NUKIB confirmed malicious activities of Chinese cyber-actors targeting the Czech Republic, including a recent APT31 campaign targeting the Czech Ministry of Foreign Affairs. The Chinese government has access to data stored by private cloud service providers within the Czech Republic, ensuring that sensitive data is always within its reach. NUKIB warns about consumer devices, such as smartphones, IP cameras, electric cars, large language models, and even medical devices and photovoltaic converters manufactured by Chinese firms, as risky devices that can transfer potentially sensitive data to Chinese infrastructure. 45 previously unreported domains associated with Salt Typhoon and UNC4841 have been discovered, with the oldest domain registration activity dating back to May 2020.
Shamos infostealer targeting macOS devices via ClickFix attacks
A new infostealer malware called Shamos is targeting macOS devices. The malware, developed by the COOKIE SPIDER group, steals data and credentials from browsers, Keychain, Apple Notes, and cryptocurrency wallets. It is distributed through ClickFix attacks that impersonate troubleshooting guides and fixes. Since June 2025, the malware has attempted infections in over three hundred environments worldwide. The attacks lure victims via malvertising or fake GitHub repositories, prompting them to execute shell commands in the macOS Terminal. These commands download and execute the malware, bypassing macOS security mechanisms. Shamos performs anti-VM checks, host reconnaissance, and data collection. It packages the stolen data into an archive and transmits it to the attackers. The malware can also download additional payloads and ensure persistence via a Plist file.
Threat Actors Exploit VPS Infrastructure for Stealthy SaaS Attacks
Threat actors are abusing commercial virtual private server (VPS) infrastructure to quickly and stealthily launch attacks on software-as-a-service (SaaS) environments. This tactic allows attackers to evade geolocation-based defenses, bypass IP reputation checks, and blend into legitimate user behavior. In May, Darktrace observed multiple incidents involving VPS abuse, including brute-force attempts, anomalous logins, and phishing-related activities. Two notable attacks involved the misuse of Hyonix VPS to hijack active email sessions and create obfuscated email rules, aiming to remain undetected while potentially setting the stage for data exfiltration or spam distribution.
Social Engineering Attacks Targeting MFA and Help Desks
Threat actors are increasingly using social engineering tactics to bypass traditional security measures. They target help desks to gain unauthorized access to networks through MFA resets and password overrides. This approach exploits human vulnerabilities and organizational weaknesses, bypassing technical defenses. The FBI has highlighted groups like Scattered Spider as prominent actors in these campaigns. In August 2023, Scattered Spider targeted Clorox, resulting in approximately $380 million in damages. The attack involved repeated phone calls to the service desk, obtaining resets without meaningful verification, and quickly gaining domain-admin access. The incident underscores the need for robust verification processes and effective communication between help desks and security teams. Organizations must rethink their help desk operations and training to mitigate these risks. Frontline staff need to recognize red flags and escalate suspicious requests. Cultural changes are necessary to prioritize security over speed, and ongoing, relevant training is essential. Effective communication between help desks and security teams can enhance detection and response to social engineering attempts.