Overview

• In at least two recent cases, the group compromised SaaS or cloud providers via zero‑day exploits, learned the targets’ application logic, and used provider access to reach customer environments and read email.
• One intrusion involved abuse of an Entra ID application registration secret at a SaaS provider, enabling authentication as service principals to enter multiple customer tenants.
• Another case saw a compromised Microsoft cloud solution provider with delegated administrative privileges used to create backdoor users, escalate to Global Administrator, and maintain persistence across downstream tenants.
• Investigators tie the campaign to rapid exploitation of public and zero‑day flaws, including Citrix NetScaler CVE-2023-3519 and Commvault CVE-2025-3928, with the Commvault breach enabling theft of stored credentials and subsequent access to customers’ Microsoft 365 tenants.
• Murky Panda maintains stealth with web shells such as neo‑reGeorg and a Golang RAT dubbed CloudedHope, leverages compromised SOHO devices as exit nodes, and operates within a broader surge in China‑nexus cloud intrusions tracked by CrowdStrike.