|

Inside China’s Murky, Genesis, and Glacial Panda: How Cloud and Telecom Espionage Is Escalating

ByInnoVirtuoso

If you manage cloud, identity, or telecom infrastructure, you’ve likely felt a shift. Attacks that once hit endpoints and perimeter boxes now slip through trusted cloud relationships, SaaS connectors, and vendor admin portals. That’s not by accident. Chinese state-linked threat groups—including Murky Panda (also known as Silk Typhoon/Hafnium), Genesis Panda, and Glacial Panda—are intensifying campaigns that target cloud control planes and telecommunications networks with surgical precision.

Here’s the headline: attackers are exploiting internet-facing appliances, weak third‑party controls, and the “soft belly” of cloud identity to quietly access email, move laterally across tenants, and siphon sensitive data. They’re also pivoting into telecom providers to pull call detail records and communications telemetry—gold for intelligence operations.

In this guide, I’ll break down what’s happening, why it matters, and how to harden your environment right now. I’ll keep the jargon to a minimum and the practical takeaways front and center.

The short version: what’s happening and why it matters

  • Chinese adversaries are abusing trust in cloud ecosystems. They compromise a supplier or SaaS provider, then use that partner’s legitimate access to backdoor downstream customers.
  • Murky Panda is exploiting N-day/zero-day flaws in internet-facing appliances, planting web shells, and dropping custom cloud-ready malware to persist.
  • Genesis Panda focuses on the cloud control plane. It harvests credentials from Instance Metadata Services (IMDS) and uses cloud accounts and CSP services for stealthy lateral movement and persistence.
  • Glacial Panda is going after telecoms, targeting Linux systems, exploiting older privilege escalation bugs, and deploying trojanized OpenSSH components to capture credentials and maintain backdoor access.
  • The goal across all three: long-term access, covert data collection, and minimal noise. Think fewer smash-and-grab ransomware moves, more silent, high-value espionage.

Here’s why that matters: your security controls can be perfect at the endpoint level, and you can still get blindsided through a trusted cloud connector or a vendor admin account. Identity really is the new perimeter—and it’s often managed by partners.

Let’s unpack each group and their tradecraft.

Murky Panda (Silk Typhoon/Hafnium): exploiting trust in the cloud

Murky Panda—also referred to by Microsoft as Silk Typhoon and known historically as Hafnium—has a track record of high-impact exploits, including the Microsoft Exchange zero-days that shook 2021. Recent activity shows the group is doubling down on cloud and partner abuse to get in, blend in, and stay in.

For context, see Microsoft’s analysis of Hafnium’s Exchange activity and China-nexus tradecraft for background: Microsoft Security blog on HAFNIUM.

Initial access: internet-facing appliances and rapid weaponization

Murky Panda frequently starts where defenders are stretched thin—on the edge:

  • Exploiting public-facing appliances and services, including known flaws in Citrix NetScaler ADC and NetScaler Gateway (CVE‑2023‑3519). Details: Citrix advisory for CVE-2023-3519.
  • Leveraging new or recently disclosed vulnerabilities (N-days and zero-days) before patch cycles catch up.
  • Compromising SOHO devices in target countries and using them as exit nodes to obfuscate origin and frustrate detection.
  • Deploying web shells—such as neo‑reGeorg—to establish persistence and covert tunneling. Repo reference: neo-reGeorg on GitHub.
  • Dropping CloudedHope, a 64-bit Golang-based RAT that includes anti-analysis and OPSEC features like timestamp tampering and indicator wiping.

Other observed vectors include exploitation of Commvault (CVE‑2025‑3928), underscoring the group’s preference for high‑leverage, internet‑facing software.

The cloud twist: abusing trusted relationships and Entra ID

The standout tactic is Murky Panda’s use of cloud trust to jump tenants and backdoor identity. In at least one late‑2024 case:

  • The actor compromised a supplier of a North American organization.
  • Using the supplier’s legitimate administrative privileges into the victim’s Microsoft Entra ID (formerly Azure AD), the actor created a temporary backdoor Entra ID account.
  • They then “backdoored” preexisting Entra ID service principals related to Active Directory management and email, focusing on access to mailboxes.

Why this works: – Cross-tenant trust is normal business. Vendors often hold high-privilege roles for support and integration. – Service principals (app identities) are commonly overlooked. They often hold powerful permissions with long-lived secrets or certificates. – Activity from a “known” partner blends in with expected admin actions.

If Entra ID is central to your identity fabric, spend a moment here. Microsoft’s docs on service principals and app consent are worth a refresher: Service principals in Microsoft Entra and Admin consent best practices.

Why Murky Panda’s approach is so effective

  • It weaponizes the good stuff: default trust, automation, and convenience.
  • It narrows objectives. The group often targets email and identity tooling—not everything at once—reducing noise.
  • It exploits patch gaps and identity blind spots at the same time, forcing defenders to chase both infrastructure and SaaS threats.

Genesis Panda: mastering the cloud control plane

Genesis Panda is a separate China-linked actor active since at least January 2024. It runs high-volume campaigns across finance, media, telecom, and technology in 11 countries. CrowdStrike assesses its operations may enable later-stage intelligence collection, and possibly initial access brokering.

Core tactic: harvest cloud credentials via IMDS and pivot

Genesis Panda consistently queries cloud Instance Metadata Services (IMDS) on compromised servers. IMDS endpoints provide instance details and, in many configurations, temporary credentials for cloud APIs.

Once they obtain credentials from a VM, attackers can: – Call cloud APIs to enumerate identities, roles, storage, and network configurations. – Establish persistence via new users, roles, keys, or service principals. – Use CSP storage, queues, and functions for stealthy data staging and exfiltration. – Create fallback mechanisms so they can return even if the initial VM gets rebuilt.

Genesis Panda also targets CSP accounts directly and abuses cloud-hosted infrastructure for exfiltration. The consistency is the tell: they want control plane access, not just a foothold on a single VM.

Why defenders struggle here

  • IMDS access is local to the instance. Traditional network controls may not block it.
  • Many organizations leave default IMDS settings in place or don’t constrain access from containers and user space.
  • Cloud API actions can look like legitimate admin tasks unless you have strong baselining, least privilege, and alerting.

Glacial Panda: telecoms in the crosshairs

The telecom sector has seen a 130% increase in nation-state targeting year over year. It’s easy to see why: telcos hold call detail records (CDRs), subscriber metadata, roaming data, and network telemetry—intelligence catnip.

Glacial Panda is a China-nexus group focusing on telecoms across Afghanistan, Hong Kong, India, Japan, Kenya, Malaysia, Mexico, Panama, the Philippines, Taiwan, Thailand, and the U.S.

Tactics that fit telecom realities

  • Target Linux systems that power telecom backends, including older distributions that support legacy network technologies.
  • Achieve initial access via exposed, unmanaged, or weakly protected servers and internet-facing services.
  • Use known privilege escalation exploits, notably:
  • Dirty COW (CVE‑2016‑5195): privilege escalation through a kernel race condition. Background: Red Hat on Dirty COW.
  • PwnKit (CVE‑2021‑4034): a Polkit local privilege escalation. Research: Qualys on PwnKit.
  • Blend in with living‑off‑the‑land techniques, using standard admin tools wherever possible.
  • Deploy trojanized OpenSSH components (codename ShieldSlide) to:
  • Capture user authentication sessions and credentials.
  • Provide a covert backdoor that accepts a hardcoded password for any account, including root.

If you run or secure telco infrastructure, that last point is chilling. A backdoored SSH daemon gives stealthy, durable access that defeats traditional credential changes.

The common playbook: stealth, persistence, and cloud agility

Across Murky, Genesis, and Glacial Panda, a few themes emerge:

  • Cloud is the new lateral movement highway. Attackers don’t just pivot host-to-host; they pivot tenant-to-tenant and service-to-service.
  • Identity is the crown jewel. From Entra ID service principals to AWS roles, these actors target the identities that quietly run your business.
  • Trusted third parties are prime targets. Vendor access, MSPs, integrators, and SaaS partners can become the adversary’s door key.
  • OS-level hygiene still matters. Dirty COW and PwnKit show that “old” bugs never die in heterogeneous, long-lived fleets.

So what do you do about it? Let’s get into concrete steps.

A prioritized defensive playbook for cloud and telecom teams

You don’t need 100 controls to blunt these campaigns. You need the right 15, implemented well. Start here.

1) Shrink and shield your internet-facing surface

  • Inventory every public-facing appliance and service. Patch on a risk-based schedule that prioritizes exploitation in the wild.
  • For high-risk appliances (e.g., Citrix NetScaler), place them behind VPN/ZTNA or restrict exposure to trusted networks where feasible.
  • Remove or rate-limit management interfaces from the internet.
  • Enforce strong authentication and lock down default admin portals.

Reference for Citrix CVE-2023-3519: Citrix advisory.

2) Harden identity in Microsoft Entra ID

  • Eliminate standing, broad admin rights. Use Privileged Identity Management (PIM) with just-in-time elevation and MFA.
  • Restrict app consent. Enable admin consent workflows and alert on high-privilege scopes (e.g., Mail.ReadWrite, Directory.AccessAsUser).
  • Audit and rotate service principal credentials. Prefer short-lived credentials or certificates with enforced rotation.
  • Monitor for:
  • New service principal creations and credential additions.
  • Guest account additions and role assignments.
  • Changes to directory roles and federation settings.
  • Use Conditional Access for all administrative portals. Require phishing-resistant MFA (FIDO2, certificate-based, or number matching).

Microsoft references: Admin consent workflow and Service principals.

3) Control access to cloud Instance Metadata Services

  • AWS: Require IMDSv2 and block IMDS from containers or untrusted contexts. See: AWS IMDSv2 guide.
  • General controls:
  • Restrict egress to the link-local endpoint (169.254.169.254) using host firewalls/iptables when workloads don’t need IMDS.
  • Run untrusted code as non-root and with network egress policies that prevent IMDS access.
  • Prefer managed identities and least-privileged roles. Remove static keys from instances.
  • Monitor for unusual calls to IMDS from processes that typically shouldn’t query it.

Azure IMDS reference: Azure IMDS.

4) Fortify vendor and cross-tenant trust

  • Inventory all third-party access into your tenant(s), including MSPs, ISVs, and B2B direct connect relationships.
  • Enforce time-bound, approval-based access with PIM for external admin accounts.
  • Require vendor MFA and device compliance where supported.
  • Contract for logging transparency: vendors should provide audit trails of actions taken in your tenant.
  • Periodically review and prune unused or over-privileged service principals and OAuth apps.

Microsoft guidance on cross-tenant access and B2B: Cross-tenant access settings.

5) Detect the cloud identity backdoor moves

Tune alerts and hunting queries for the following:

  • New Entra ID app registrations, consent grants with high-privilege scopes, or credential additions to service principals.
  • Mailbox access via nonstandard apps or sudden spikes in message read/download activity.
  • Creation of temporary or “break-glass” accounts outside change windows.
  • Activity from partner tenants conducting administrative operations at unusual hours or from unusual geographies.

Tip: baseline normal partner activity. Alert on deviations rather than raw event types.

6) Lock down Linux and SSH in telecom and cloud environments

  • Patch aggressively for privilege escalation, including Dirty COW (CVE‑2016‑5195) and PwnKit (CVE‑2021‑4034). References: Dirty COW, PwnKit.
  • Deploy file integrity monitoring on OpenSSH binaries, configuration files, and PAM modules.
  • Verify OpenSSH package provenance and use signed packages from trusted repositories.
  • Centralize SSH access with bastions, hardware-backed keys, or short-lived certificates (e.g., SSH CA). Eliminate password-based SSH where possible.
  • Alert on:
  • Unexpected changes to sshd binaries or configs.
  • Acceptance of passwords where keys are required.
  • New users with sudo privileges, or changes to PAM stacks.

7) Web shell and post-exploitation hygiene

  • Scan for known web shell patterns and anomalous outbound connections from web servers. Include tunnels like neo‑reGeorg.
  • Isolate compromised web servers, rotate credentials, and rebuild from clean images rather than “cleaning” in place.
  • Use egress filtering for server workloads. Limit who can talk outbound—and to where.

Neo‑reGeorg reference: GitHub repo.

8) Logging that actually helps

  • Cloud control plane:
  • AWS: CloudTrail, CloudWatch, S3/STS logs, IAM Access Analyzer.
  • Azure: Entra ID audit and sign-in logs, Azure Activity logs, Microsoft Defender for Cloud alerts.
  • Identity analytics:
  • Alert on impossible travel, atypical service principal usage, and sudden privilege escalations.
  • Data access:
  • Monitor email access patterns, download volumes, and anomalous eDiscovery or export actions.

9) Practice the supply chain incident you hope never happens

  • Pre-approve a playbook for “compromised vendor admin” scenarios:
  • Suspend vendor access, rotate secrets, force token revocation.
  • Review all app registrations and service principals created or modified in the last 90 days.
  • Re-issue certificates and rotate keys used by vendors.
  • Maintain a known-good list of privileged identities and a script to validate them against Entra ID/IAM on demand.

10) Reduce SOHO and unmanaged device risk

  • For remote locations, segment SOHO gear from corporate networks and restrict admin interfaces.
  • Prefer managed, centrally monitored gateways with automatic updates.
  • Monitor traffic for signs of proxying or exit node behavior originating from consumer-grade devices.

Indicators and weak signals worth your attention

While every environment differs, defenders consistently report these “tells” before or during cloud-centric intrusions:

  • New or modified Entra ID service principals tied to directory and email scopes.
  • Credentials added to app registrations without a corresponding change ticket.
  • Partner tenant identifiers showing up in audit logs for privileged operations.
  • Servers making unusual requests to 169.254.169.254 outside of expected processes.
  • Web servers with sudden outbound tunnels to uncommon destinations.
  • SSH binaries with mismatched checksums or unsigned provenance.
  • Unusual mailbox access patterns (e.g., service accounts reading executive mailboxes).

Treat these as starting points for hunting. The earlier you spot them, the less likely an adversary can entrench.

What this means for the next 12 months

  • Expect more cloud control plane attacks. Harvested IMDS credentials, OAuth abuse, and service principal backdoors will remain staples.
  • Vendor access will be a top vector. MSPs and SaaS providers make great launch pads.
  • Telecom espionage won’t slow down. As 5G and edge networks proliferate, the attack surface widens.
  • “Quiet” persistence beats noisy smash-and-grab. Adversaries will choose stealth over speed, and identity over malware when possible.

The countermeasure is clear: strong identity governance, guarded cloud metadata, and surgical control of third‑party access.

FAQs

Q: Who is Murky Panda (Silk Typhoon/Hafnium)? A: A China-nexus cyber espionage group known for exploiting internet-facing systems and cloud trust. It drew global attention during the 2021 Microsoft Exchange zero-days and continues to target government, tech, academic, legal, and professional services—often with a focus on email access. Background: Microsoft on HAFNIUM.

Q: What is Genesis Panda’s hallmark technique? A: Targeting cloud control planes by harvesting credentials from Instance Metadata Services (IMDS) on compromised VMs, then using CSP APIs for enumeration, lateral movement, and persistence. See IMDS references: AWS IMDSv2, Azure IMDS.

Q: What is Glacial Panda’s ShieldSlide? A: A set of trojanized OpenSSH components observed in telecom intrusions. They capture credentials from SSH sessions and provide a backdoor that accepts a hardcoded password—even for root—allowing covert, durable access.

Q: How do attackers abuse “trusted relationships” in cloud environments? A: By compromising a supplier or SaaS provider that has admin access to your tenant, then using that legitimate trust to: – Create temporary backdoor accounts – Add credentials to service principals – Grant high-privilege OAuth scopes Because actions come from a trusted partner, they blend into normal admin activity unless you monitor closely.

Q: What is CloudedHope? A: A 64-bit Golang remote access tool (RAT) used by Murky Panda for persistence and control. It includes anti-analysis and operational security features to reduce detection, often deployed after web shell access.

Q: What’s neo‑reGeorg, and why do attackers use it? A: A web shell/tunneling tool that turns a compromised web server into a covert proxy for internal network access. It’s popular because it’s simple, flexible, and hides in normal web traffic. Reference: neo-reGeorg.

Q: How can I harden Microsoft Entra ID against these tactics? A: Use PIM for just-in-time admin, enforce admin consent workflows, review and rotate service principal credentials, require strong MFA for all admin portals, and alert on new app registrations, consent grants, and credential additions. Docs: Admin consent best practices.

Q: Why is IMDS a target, and how do I mitigate the risk? A: IMDS can provide time-limited credentials for cloud APIs. If attackers can query it from a compromised VM, they can pivot into the control plane. Mitigate by requiring AWS IMDSv2, restricting access to 169.254.169.254 from untrusted processes, running workloads with least privilege, and monitoring unusual metadata queries.

Q: Are telecom networks uniquely exposed? A: Telecoms run large, heterogeneous fleets including legacy Linux systems and specialized network gear. The mix of internet-facing services, legacy constraints, and high-value data (CDRs, telemetry) makes them highly attractive and sometimes slower to patch.

Q: How do SOHO devices help attackers evade detection? A: Attackers compromise small office/home office routers and devices in the target country, then route traffic through them. That makes malicious traffic look local and legitimate, complicating geolocation-based detections and threat hunting.

Final takeaway

Cloud identity and telecom infrastructure are now core battlefields for state-linked espionage. Murky Panda abuses trusted cloud relationships, Genesis Panda pivots through the cloud control plane, and Glacial Panda burrows into telecom backends with backdoored SSH and old-but-gold privilege escalations.

You don’t need to boil the ocean to respond. Prioritize: – Patching internet-facing systems and reducing exposure – Hardening Entra ID and app/service principal governance – Controlling IMDS access and cloud API permissions – Tightening vendor access with time-bound, auditable privileges – Monitoring for the subtle identity and telemetry signals that betray persistence

If this was helpful, consider subscribing for future deep dives on cloud identity defense, telecom security, and practical threat hunting playbooks. Stay vigilant—quiet attackers thrive on quiet defenders.

Discover more at InnoVirtuoso.com

I would love some feedback on my writing so if you have any, please don’t hesitate to leave a comment around here or in any platforms that is convenient for you.

For more on tech and other topics, explore InnoVirtuoso.com anytime. Subscribe to my newsletter and join our growing community—we’ll create something magical together. I promise, it’ll never be boring! 

Stay updated with the latest news—subscribe to our newsletter today!

Thank you all—wishing you an amazing day ahead!

Read more related Articles at InnoVirtuoso

InnoVirtuoso

Hello there! I'm passionate content writer navigating the digital landscape. With a deep love for words and an insatiable curiosity about technology.

With 10 years of experience in IT field, I write mostly about emerging tech, sharing news, informational articles and covering other topics I find interesting.

Let's craft the future of content together – one word at a time!

Browse InnoVirtuoso for more!