Industry researchers say a 136% rise in cloud intrusions, documented in CrowdStrike’s 2025 Threat Hunting Report, is being driven in part by China-nexus adversaries known as Murky Panda or Silk Typhoon. The report highlights the group’s expansion from traditional targets to compromised cloud environments, using trusted cloud relationships to reach downstream victims. CrowdStrike researchers describe Murky Panda as active since at least 2023, with a focus on government, technology, academia, legal and professional services entities in North America and on stealing sensitive information.
The group’s playbook combines multiple techniques: exploiting n-day and zero-day vulnerabilities in internet-facing appliances for initial access (with CVEs such as 2023-3519 and 2025-3928 noted in public advisories), deploying webshells on compromised systems, and using malware such as CloudedHope for remote access. Murky Panda also leverages compromised SOHO devices geolocated in target countries as exit nodes to mask attack origins. While these techniques are well documented, a core emphasis of the campaign is cloud compromise and subsequent abuse of trusted relationships to reach customers.
In at least two cases analyzed by CrowdStrike, Murky Panda exploited zero-day vulnerabilities to breach cloud environments hosted by software-as-a-service providers. Once inside, the group reportedly mapped the provider’s cloud logic to pivot into downstream customer environments, effectively using legitimate cloud access as a springboard for broader intrusion.
One described intrusion involved a SaaS provider that used Entra ID to manage access to downstream data. The adversaries allegedly obtained the provider’s application registration secret and authenticated as the service principals behind that application to log into downstream environments, ultimately accessing emails. While the researchers did not name the provider, the scenario aligns with the February 2025 breach of Commvault’s Microsoft Azure cloud environment and related Microsoft 365 (M365) ecosystems of affected customers.
A separate operation involved a Microsoft cloud solution provider with cross-tenant access to a downstream customer via delegated administrative privileges. Using Global Administrator rights and a compromised high-privileged user, Murky Panda created a new user in the downstream tenant, added the user to several groups, and leveraged this access to read emails and add secrets to application registrations and service principals, enabling persistence. CrowdStrike notes that trusted-relationship compromises in the cloud are relatively rare and less monitored compared with other common initial access vectors, underscoring the need for heightened vigilance and cloud-identity protections.
Security researchers urge organizations with heavy reliance on cloud environments to tighten monitoring of trusted relationships, protect application registrations, and enforce least-privilege access controls to limit the impact of compromised service principals. The CrowdStrike findings and defensive guidance are summarized in their advisory linked above.