25.08.2025
2 min
538
CrowdStrike analysts have recorded the activation of Chinese groups Murky Panda, Genesis Panda and Glacial Panda, which use vulnerabilities in cloud services and telecommunications systems for long-term espionage operations against government and corporate structures.
Murky Panda (Silk Typhoon, formerly Hafnium) is known for attacks on Microsoft Exchange in 2021. Today, the group exploits Internet appliances, vulnerabilities in Citrix NetScaler (CVE-2023-3519) and Commvault (CVE-2025-3928) to install the neo-reGeorg web shell and deploy the CloudedHope backdoor. Of particular danger is the use of trusted relationships between partners in the cloud: attackers gain administrative access to Entra ID and create temporary accounts for espionage, mainly in email services.
Genesis Panda has been active since 2024, attacking financial, media and technology companies in 11 countries. It actively collects credentials through the Instance Metadata Service, which allows it to move inside cloud accounts, provide a stealthy presence, and act as an initial access broker for other groups.
Glacial Panda targets the telecom sector, where state-sponsored attacks have increased by 130% year-over-year. It operates in the US, Asia, Africa, and Latin America, using known exploits and weak passwords to penetrate Linux servers. It uses a Trojanized OpenSSH called ShieldSlide to gain entry, stealing credentials and providing backdoor access even to root users.
Murky Panda made a name for itself in 2021 with its zero-days against Exchange, while Genesis Panda and Glacial Panda demonstrate China’s new focus on cloud services and telecoms as sources of large-scale intelligence. The tactics, from “live” attacks on hardware to manipulation of SaaS environments, indicate Beijing’s strategic shift to comprehensive cyber operations.
The activities of Murky, Genesis and Glacial Panda confirm that cloud services and telecommunications have become key targets of modern cyber espionage. The use of zero-days, backdoors and Trojanized components makes attacks invisible and long-lasting. It is critical for organizations to strengthen cloud security, update servers and minimize supply chain risks.
