The MURKY PANDA Case: The Challenge of Advanced Espionage Campaigns

The growing sophistication of cyber threats shows that persistence is no longer an accessory attribute, but an operational paradigm of advanced espionage and digital sabotage campaigns.

APT campaigns are not limited to one-off attacks, but maintain continuous and resilient access to compromised systems, exploiting obfuscation techniques, code modularity, and abuse of cloud infrastructures.

This highlights the inadequacy of defensive models based on signature detection and static rules, and the urgent need for an adaptive paradigm capable of integrating machine learning, GenAI, and agentic systems to ensure behavioral detection, weak signal correlation, and autonomous response.

The MURKY PANDA case, documented by CrowdStrike between 2024 and 2025, is a prime example of this framework. Through the rapid exploitation of vulnerabilities — both zero-day and already known — the use of customized malware, and the use of compromised devices to mask traffic, the group has demonstrated that persistence is not only pursued on a technical level but constitutes a real operating model, fully consistent with state intelligence objectives (in this specific case, of Chinese origin).

Institutional research conducted by ENISA, NIST, MITRE, and NATO CCDCOE converges on one fundamental point: traditional defensive models are increasingly insufficient in dealing with persistent and adaptive threats.

Three evolutionary paradigms can be distinguished:

Reactive, based on signature detection and post-event log analysis, effective against known threats but completely inadequate against zero-day and APT campaigns;
Proactive, focused on threat hunting and anomaly detection, which allows some adversary tactics to be anticipated but shows limitations against polymorphic malware and attacks enhanced by artificial intelligence;
Adaptive, an emerging paradigm that integrates AI and dynamic resilience, with self-learning capabilities, weak signal correlation, and real-time response, and which is the only viable way to deal with state-sponsored threats and advanced long-term campaigns.

The most recent APT campaigns, including APT31, Salt Typhoon, and Curly COMrades, have highlighted a constant evolution in the techniques used by state and parastatal actors. In particular, there has been an increasingly systematic use of modular loaders capable of dynamically downloading updated payloads, anti-forensic techniques (timestamp manipulation, deletion of indicators of compromise, advanced code obfuscation), and the abuse of legitimate cloud infrastructures, such as AWS and Azure, exploited to ensure the resilience of command and control (C2) channels.

These elements confirm that persistence can no longer be interpreted as an episodic feature of a few particularly sophisticated campaigns, but as a systemic phenomenon that defines the very nature of advanced threats.

In other words, persistence is now an integral part of the operational strategy of APT actors and provides the framework within which to interpret both technical tools and long-term geopolitical choices.

MURKY PANDA is an adversary group linked to the Chinese cyber espionage ecosystem, operationally associated with the cluster known as Silk Typhoon, which includes several units focused on gathering strategic intelligence. The attribution, while not definitive, is supported by the convergence of technical indicators (TTPs) and operational objectives consistent with Beijing’s geopolitical interests.

The group focuses its activities primarily on government agencies, technology organizations, law firms, academic institutions, and professional services firms in North America: sectors that have dual strategic value.

On the one hand, the protection of intellectual property and scientific and industrial know-how; on the other, access to sensitive information regarding decision-making processes, public policies, and legal disputes of geopolitical significance.

Specific objectives identified by the analysis include the exfiltration of email communications, the theft of confidential documents, and, above all, the creation of hidden administrative accounts in the victims’ cloud environments. The latter technique particularly highlights the desire to ensure a persistent and stealthy presence, functional to long-term campaigns aimed at the systematic collection of data rather than immediate service interruptions.

Analysis of the campaigns attributed to MURKY PANDA highlights a set of operational techniques that reflect the ability to quickly exploit vulnerabilities, the use of customized malware, and the adoption of advanced concealment procedures.

First, the group stands out for its ability to exploit significant vulnerabilities in extremely short times. Documented cases include CVE-2023-3519, relating to Citrix NetScaler systems, and the more recent CVE-2025-3928, involving Commvault solutions. This approach demonstrates a high level of operational readiness and the ability to quickly integrate zero-day and n-day exploits into its arsenal.

In terms of malicious tools, MURKY PANDA uses the CloudedHope family, a 64-bit ELF executable developed in the Go language, characterized by obfuscation using garble and a wide set of anti-analysis functions (checksum-based environment checks and misdirection actions).

This is complemented by the use of Neo-reGeorg web shells, frequently found in Chinese campaigns, which allow remote access and tunneling capabilities for lateral movement. In terms of persistence, the group adopts strategies aimed at hindering attribution and consolidating its presence within compromised environments.

Recurring techniques include timestamp manipulation, deletion of indicators of compromise (IoCs), and abuse of administrative privileges granted by cloud service providers (CSPs), with the creation of hidden accounts to maintain continuous access.

Finally, the infrastructure component appears particularly sophisticated: MURKY PANDA exploits compromised SOHO (small office/home office) devices, preferably located within the target geographies, using them as exit nodes.

This choice allows malicious traffic to be masked as if it were generated locally, reducing the chances of detection and increasing the level of operational stealth.

In addition to the use of rapid exploits and customized malware, MURKY PANDA stands out for a number of strategic innovations that significantly amplify the impact of its campaigns.

The first concerns the ability to compromise Software-as-a-Service (SaaS) providers by exploiting zero-day vulnerabilities. In several documented cases, this technique has allowed the group to steal application registration secrets, i.e., application registration credentials that allow authentication as service principals in multi-tenant environments. This method of access exponentially expands the campaign’s potential, allowing the adversary to extend the compromise not only to the provider but also to its downstream customer chain.

A second innovative element is the abuse of the trust relationships typical of Microsoft Cloud Solution Providers (CSPs). Through these compromises, MURKY PANDA obtained delegated administrative privileges that allowed it to create backdoor users with Application Administrator rights. This approach ensures not only persistent access, but also the ability to maintain lasting control over compromised environments, while avoiding generating immediately suspicious activity.

The integration of SaaS vendor compromise and CSP privilege exploitation represents a significant evolution in the APT landscape, as it shifts the focus of the attack from the individual target to the entire digital ecosystem surrounding it. This strategy reflects a genuine paradigm shift: no longer the mere infiltration of isolated systems, but the systematic manipulation of the trust relationships that form the foundation of contemporary cloud architectures.

The MURKY PANDA case underscores that persistence should no longer be interpreted as a set of isolated techniques, but as a true operational paradigm.

The group’s modus operandi, from the use of rapid exploits to strategies for compromising SaaS providers, to the abuse of Cloud Solution Provider privileges, demonstrates that the primary objective is not immediate gain, but rather the establishment of a continuous and resilient presence in the victims’ digital ecosystems.

A particularly relevant aspect concerns the use of the cloud as a strategic pivot. The ability to exploit weakly monitored trust relationships in SaaS/CSP contexts reveals a blind spot in most common corporate defenses. Traditional solutions, based on perimeter controls or network logistics, are unable to detect lateral movements or privilege manipulations that take place entirely within legitimate infrastructures.

In this scenario, it is clear that reactive approaches (signature-based detection, post-event analysis) and even proactive ones (threat hunting, manual anomaly detection) are no longer sufficient.

A qualitative leap towards an adaptive model is needed, capable of integrating different components.

The first is discriminative machine learning, which is useful for identifying behavioral anomalies that would be difficult to detect with static rules.
The second is generative artificial intelligence (GenAI), which allows scenarios to be simulated and the evolution of new malware variants to be predicted, thus anticipating the opponent’s moves.
Finally, autonomous agent architectures introduce the possibility of implementing real-time responses, isolating suspicious accounts or interrupting malicious connections even in the absence of immediate human intervention.

Finally, comparison with other APT campaigns, such as Salt Typhoon or APT31, confirms that we are facing a structural trend: distributed persistence is now the new normal. This means that adversaries no longer target a single point of compromise, but aim to infiltrate entire digital ecosystems, maintaining redundant and invisible access points that can survive even remediation operations.

The MURKY PANDA case is not an exception, but a structural wake-up call about the future of cyberwarfare.

The emergence of state actors who systematically exploit cloud ecosystems, make persistence the hallmark of their campaigns, and adopt advanced concealment techniques demonstrates that digital espionage is no longer a parallel domain, but an integrated pillar of national power strategies.

The implications for global cybersecurity are clear.

First, defense must make a qualitative leap, evolving towards an adaptive and cognitive model. This implies the adoption of systems based on reliable and explainable artificial intelligence, capable not only of identifying anomalies and correlating weak signals, but also of supporting strategic decisions by ensuring transparency and accountability.
Second, security policies must broaden their scope. Protection can no longer be limited to firewalls or intrusion detection: continuous auditing mechanisms are needed for SaaS and CSPs, advanced logging systems such as Microsoft Graph API logs, and structured sharing of threat intelligence between the public and private sectors and the research community, in order to reduce blind spots and anticipate emerging vectors.
Finally, on the scientific front, research must go beyond the current defensive paradigm, exploring the convergence between forensic AI, capable of attributing and reconstructing intrusions with greater precision, autonomous response, which allows for timely and automated responses to incidents, and cognitive deterrence, understood as the ability to undermine the effectiveness of adversarial operations not only on a technical level, but also on an informational and perceptual level.

Only through this integration will it be possible to build advanced cyber resilience, capable of dealing with state actors with virtually unlimited resources and able to operate over long time horizons.

In conclusion, MURKY PANDA is not an isolated case, but a preview of what will become the norm. Preparing for this ‘new normal’ requires not only more advanced technological tools, but also a comprehensive redefinition of security architectures, governance policies, and research approaches, in a logic of continuous co-evolution with threats.

The future of cybersecurity is already in full revolution, and the horizon of quantum computing represents the next leap that will radically redefine balances and vulnerabilities.

This was published in Italian by PRPChannel on August 28, 2025 and is published with the permission of the author.

The MURKY PANDA Case: The Challenge of Advanced Espionage Campaigns

--> Hypersonic Weapons and Strategic Competition: From Science Project to Operational Reality

A Critical Look at Portugal and Its History

On Ernst Pijning’s Controlling Contraband Assessment of 18th Century Brazil

On Correcting the Historical Record: Ernst Pijning’s Assessment of the Role of Contraband Trade in 18th Century Brazil

Perspectives on the BRICS Meeting: July 2025

The High Cost of Appeasement: How Two Decades of Failed Deterrence Led to Ukraine and What It Means for Future Conflicts

The Policy-Making Crisis: Can We Shape Realistic Strategies?