Murky Panda-Silk Typhoon-Hafnium ecosystem shift changes threat-actor operations
Threat Actor Meta
Summary
Hide ▲
Show ▼
Murky Panda is abusing trusted cloud relationships and internet-facing access paths to reach downstream enterprise tenants, raising the risk of stealthy cloud compromise across SaaS supply chains. The group's use of zero-day vulnerabilities to enter SaaS providers' cloud environments can turn one supplier breach into lateral movement and broader access. That tradecraft matters because it supports intelligence collection while blending into legitimate partner activity.
Related Happenings
Sha1-Hulud supply-chain campaign expands secret theft across npm and GitHub
Campaign
First: 02.01.2026 16:19
Last: 02.01.2026 16:19
Sources 1
About this happening:
**Shai-Hulud** is a **self-replicating npm supply-chain worm** that first appeared in **September 2025** and spread by stealing **developer secrets** and **GitHub tokens** from co...
Sha1-Hulud supply-chain campaign expands secret theft across npm and GitHub
CampaignAbout this happening: **Shai-Hulud** is a **self-replicating npm supply-chain worm** that first appeared in **September 2025** and spread by stealing **developer secrets** and **GitHub tokens** from co...
Latest development: 26.01.2026 16:02
Koi Security found PackageGate flaws in pnpm, vlt, Bun, and NPM that let a malicious `.npmrc` override the git binary path during Git repository installs, bypass `--ignore-scripts=true` and trigger full code execution. Bun patched the flaws in version 1.3.5, vlt fixed them after Koi's report, pnpm released fixes for CVE-2025-69263 and CVE-2025-69264, and NPM closed the report as "works as expected."
Microsoft Teams cross-tenant Defender blind spot security flaw
Vulnerability
First: 28.11.2025 10:33
Last: 28.11.2025 10:33
Sources 1
About this happening:
**Microsoft Teams** has a **cross-tenant Defender blind spot** where **guest invitations** can move chats outside an organization’s protection boundary, creating **phishing** and...
Microsoft Teams cross-tenant Defender blind spot security flaw
VulnerabilityAbout this happening: **Microsoft Teams** has a **cross-tenant Defender blind spot** where **guest invitations** can move chats outside an organization’s protection boundary, creating **phishing** and...
UNC1549 Middle East aerospace and defense intrusion campaign
Campaign
First: 18.11.2025 14:54
Last: 18.11.2025 14:54
Sources 1
About this happening:
UNC1549 is running a **late 2023 through 2025** intrusion campaign against **aerospace, aviation, and defense** organizations in the **Middle East**, using **third-party relations...
UNC1549 Middle East aerospace and defense intrusion campaign
CampaignAbout this happening: UNC1549 is running a **late 2023 through 2025** intrusion campaign against **aerospace, aviation, and defense** organizations in the **Middle East**, using **third-party relations...
Discord hit by network compromise
Incident
First: 04.10.2025 14:16
Last: 04.10.2025 14:16
Sources 1
About this happening:
Discord confirmed a **third-party customer service system compromise** that gave an unauthorized party **limited access** to support infrastructure used by the company. The incide...
Discord hit by network compromise
IncidentAbout this happening: Discord confirmed a **third-party customer service system compromise** that gave an unauthorized party **limited access** to support infrastructure used by the company. The incide...
RedNovember-Storm-2077-TAG-100 alliance reshapes ransomware ecosystem operations
Threat Actor Meta
First: 24.09.2025 19:36
Last: 24.09.2025 19:36
Sources 1
About this happening:
**Recorded Future** has reclassified **TAG-100** as **RedNovember**, clarifying a **Chinese state-sponsored** espionage actor also tracked by **Microsoft** as **Storm-2077**. The...
RedNovember-Storm-2077-TAG-100 alliance reshapes ransomware ecosystem operations
Threat Actor MetaAbout this happening: **Recorded Future** has reclassified **TAG-100** as **RedNovember**, clarifying a **Chinese state-sponsored** espionage actor also tracked by **Microsoft** as **Storm-2077**. The...
Timeline
-
22.08.2025 14:06 1 articles · 9mo ago
Murky Panda abuses trusted cloud relationships
Technical Analysis UpdateA China-nexus espionage group known as Murky Panda, also tracked as Silk Typhoon and formerly Hafnium, is abusing trusted relationships between partner organizations and cloud tenants to breach SaaS providers' cloud environments and move laterally into downstream victims. The tradecraft also includes exploiting internet-facing appliances, deploying web shells such as neo-reGeorg, and dropping the CloudedHope RAT to maintain persistence and reduce detection. One late-2024 example involved a supplier of a North American entity, where administrative access to the victim entity's Entra ID tenant was used to add a temporary backdoor Entra ID account and backdoor preexisting Entra ID service principles tied to Active Directory management and emails.
Show sources
- Chinese Hackers Murky, Genesis, and Glacial Panda Escalate Cloud and Telecom Espionage — thehackernews.com — 22.08.2025 14:06