Cybersecurity researchers are bringing attention to malicious activities organized by Chinese and Nexus cyberspy groups known as muddy pandas, which involve abuse of trustworthy relationships in the cloud and violating enterprise networks.
“The enemy also demonstrates considerable ability to rapidly weaponize N-DAY and zero-day vulnerabilities, and frequently achieves initial access to targets by leveraging internet-oriented appliances,” CrowdStrike said in a report Thursday.
Marquee Panda, also known as Silk Type (formerly Hafnium), is best known for its 2021 zero-day exploitation of defective Microsoft exchange servers. The attacks adopted by hacking groups target North American government, technical, academic, legal and professional services entities.
Earlier this March, Microsoft detailed information on changing threat actor tactics and detailed information technology (IT) supply chain targeting as a way to gain initial access to corporate networks. The dark panda operation is credited with being driven by a gathering of intelligence.
Like other Chinese hacking groups, the ambiguous pandas are leveraging internet-facing appliances to gain initial access, and it is believed that small office/home office (SOHO) devices immersed in the earth as nodes to attacks of expelling nodes in their target countries are also undermined.
Other infection routes include the use of known security flaws in Citrix Netscaler ADC and Netscaler Gateway (CVE-2023-3519) and Commvault (CVE-2025-3928). Initial access is utilized to deploy web shells like Neo-Regeorg to establish persistence and ultimately remove custom malware called Cloudedhope.
Written in 64-bit ELF binaries and Golang, CloudEdhope acts as a basic remote access tool (RAT) while using anti-analysis and operational security (OPSEC) measurements.
However, a notable aspect of the ambiguous panda commerce concerns the abuse of trustworthy relationships between partner organizations and their cloud tenants, exploiting zero-day vulnerabilities to violate the service as software (SAAS) provider’s cloud environment and lateral movement towards downstream victims.
In at least one example observed in late 2024, threat actors compromised suppliers of North American entities and added temporary backdoor Entra ID accounts using supplier management access to the victim entity’s ENTRA ID tenant.
“Using this account, threat actors have backed the principles of several existing Entra Identity Services related to active directory management and email,” Crowdstrike said. “An enemy targets appear to be targeted in nature based on their focus on access to email.”
From ambiguity to Genesis
Another China-related threat actor that has been skillfully proven in the operation of cloud services is Genesis Panda. This is observed using a basic detachment infrastructure, targeting cloud service provider (CSP) accounts to broaden access and establish a permanent mechanism for fallback.
Genesis Panda, which has been active since at least January 2024, is attributed to a large amount of business in the financial services, media, communications and technology sectors across 11 countries. The target of the attack is to allow access to future intelligence gathering activities.
The possibility of acting as an early access broker is attributed to the wide range of web-oriented vulnerabilities and exploitation by a group of limited data removal.
“While Genesis Panda targets a variety of systems, it shows a consistent interest in breaches of cloud-hosted systems and leverages the cloud control plane for lateral movement, persistence and enumeration,” Crowdstrike said.
The enemy observed that they “consistently” queried the instance metadata services (IMDS) associated with the cloud host server, retrieved cloud control plane credentials, and enumerated the network and general instance configuration. It is also known to use credentials that are likely obtained from compromised virtual machines (VMs) to dig holes deep inside the target cloud account.
The findings show that China’s hacking groups are increasingly proficient at destruction and navigation in cloud environments, but prioritize stealth and persistence to ensure sustainable access and confidential data harvesting.
Glacier pandas attack the communications sector
According to the crowd, the communications sector has witnessed a 130% increase in nation-state activity over the past year, driven primarily by the fact that they are a treasure trove of intelligence. The latest threat actor to train your vision in the industry is a Chinese threat actor called Glacier Panda.
The hacking group’s geographic footprint ranges to Afghanistan, Hong Kong, India, Japan, Kenya, Malaysia, Mexico, Panama, the Philippines, Taiwan, Thailand, and the United States.
“Glacier pandas are likely to carry out targeted intrusions for intelligence gathering purposes, accessing and removing detailed records of calls from multiple telecommunications organizations and associated communications telemetry,” the cybersecurity company said.
“The enemy is primarily targeting Linux systems typical of the telecommunications industry, including the distribution of legacy operating systems that support older communications technologies.”
Attack chains implemented by threat actors use known security vulnerabilities or weak passwords targeting Internet improvements and unmanaged servers.
In addition to relying on living-off (LOTL) techniques, Ice Age invasion paves the way for the deployment of troilered opensh components to collect user authentication sessions and entitlements.
“The ShieldSlide-Rojanized SSH Server binaries also provide backdoor access and authenticate your account (including the root) when a hard-coded password is entered,” CrowdStrike said.
Source link
