Overview

• CrowdStrike says the China‑linked group has stepped up operations since late spring against government, technology, academic, legal, and professional services in North America, working more than a dozen recent cases with two still active.
• Researchers detail fast exploitation of Citrix NetScaler CVE‑2023‑3519 and Commvault CVE‑2025‑3928, with the Commvault zero‑day used to steal stored credentials and access Microsoft 365 after Microsoft warned of state‑sponsored activity.
• The actor abuses delegated administrative privileges at cloud solution providers to reach customers, including a case using supplier access to a victim’s Entra ID tenant to add a temporary backdoor account and alter service principals to reach email.
• Post‑compromise activity includes web shells such as neo‑reGeorg, RDP, and a Golang RAT dubbed CloudedHope that employs anti‑analysis tactics, with SOHO devices leveraged for infrastructure and egress.
• CrowdStrike also highlights related campaigns by Genesis Panda and Glacial Panda targeting cloud and telecommunications, including ShieldSlide‑trojanized OpenSSH, alongside a 40% rise in China‑sponsored cloud intrusions and a 150% jump in China‑linked intrusions through June.