Group targets cloud environments to compromise high-profile targets.
A threat actor named MURKY PANDA has been identified, having been exploiting internet-facing appliances and cloud environments to gain access to sensitive systems for more than two years.
Named as “a sophisticated adversary leveraging advanced tradecraft to compromise high-profile targets,” by CrowdStrike, the China-nexus threat actor uses advanced tradecraft to target cloud environments and compromise high-profile targets.
It also has knowledge of custom application logic as well as niche Entra ID concepts, and evades victim system defences by targeting rarely monitored access vectors. MURKY PANDA’s OPSEC, which focuses on sanitising logs on victim systems, further underscores their operations’ sophistication.
Cloud-Conscious Adversary
Active since at least 2023, MURKY PANDA is described as a cloud-conscious adversary with a broad targeting scope, with operations particularly focused on government, technology, academia, legal, and professional services entities in North America. Its activity aligns with China-nexus targeted intrusion activity tracked by industry sources as Silk Typhoon.
Its "significant capabilities” include their ability to access low-prevalence malware and rapidly weaponise n-day and zero-day vulnerabilities in their cyberespionage operations, including flaws in Citrix NetScaler (CVE-2023-3519) and Commvault (CVE-2025-3928).
MURKY PANDA also conducts trusted-relationship compromises in the cloud to remain undetected for extended periods, giving them prolonged access to victims’ environments. In at least two analysed incidents, MURKY PANDA exploited zero-day vulnerabilities to break into SaaS providers’ cloud environments, then leveraged that access to move into downstream customer systems.
In one case, they compromised an application using Microsoft Entra ID, stole an application registration secret, and authenticated as trusted service principals to log into customer environments. This allowed them to access sensitive communications, including email, underscoring the serious risks posed by supply-chain style compromises in the cloud.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
