Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

APT

China-linked Silk Typhoon APT targets North America

China-linked Silk Typhoon APT group ramp up North America attacks, exploiting n-day and zero-day flaws for system access, CrowdStrike warns. China-linked Silk Typhoon APT group (aka Murky Panda) targets organizations in North America exploiting n-day and zero-day flaws for system access, CrowdStrike warns. This Chinese APT has one of the widest targeting scopes. In March, […]

China-linked APT Salt Typhoon

China-linked Silk Typhoon APT group ramp up North America attacks, exploiting n-day and zero-day flaws for system access, CrowdStrike warns.

China-linked Silk Typhoon APT group (aka Murky Panda) targets organizations in North America exploiting n-day and zero-day flaws for system access, CrowdStrike warns.

This Chinese APT has one of the widest targeting scopes. In March, Microsoft experts observed the group exploiting vulnerabilities opportunistically by swiftly acting on scanning discoveries.

Silk Typhoon targets multiple sectors worldwide, including information technology (IT) services and infrastructure, remote monitoring and management (RMM) companies, managed service providers (MSPs) and affiliates, healthcare, legal services, higher education, defense,  government, non-governmental organizations (NGOs), and energy. The group has been active since 2020, they use web shells for command execution and data theft.

Silk Typhoon demonstrates a deep understanding of cloud environments, enabling the group to move laterally, maintain persistence, and exfiltrate data.

“MURKY PANDA heavily relies on exploiting internet-facing appliances to gain initial access and has frequently deployed web shells — including the Neo-reGeorg web shell frequently used by China-nexus adversaries — to establish persistence. The adversary also has access to the low-prevalence custom malware family CloudedHope.” reads the report published by CrowdStrike. “The adversary has quickly weaponized n-days and zero-days. They have gained initial access to victim systems by exploiting several vulnerabilities, including CVE-2023-3519 — a vulnerability affecting Citrix NetScaler ADC and NetScaler Gateway. “

The APT group uses SOHO devices as exit nodes to mask activity, leveraging RDP, web shells, and CloudedHope to pivot into cloud networks.

CloudedHope is a Golang-based 64-bit Linux RAT, obfuscated with the open-source tool Garble, supporting anti-analysis checks and decoy actions to evade detection.

Between June and August 2025, CrowdStrike detailed how Silk Typhoon group exploited trusted cloud relationships for stealthy lateral movement to downstream victims. Unlike common initial access methods, such as stolen cloud credentials or public app exploits, this tactic remains under-monitored, enabling prolonged, covert access. In two cases, the group exploited zero-days against SaaS providers, obtaining Entra ID secrets that let them impersonate service principals to access downstream customer emails. In another case, they compromised a Microsoft cloud solution provider, abusing Delegated Administrative Privileges (DAP). With Global Admin rights across tenants, they created a backdoor user, escalated via service principals, and accessed emails while adding persistence. This highlights their focus on intelligence collection through rare cloud-focused TTPs.

“MURKY PANDA poses a significant threat to government, technology, legal, and professional services entities in North America and to their suppliers with access to sensitive information.” concludes the report.

“Organizations that rely heavily on cloud environments are innately vulnerable to trusted-relationship compromises in the cloud. China-nexus adversaries such as MURKY PANDA continue to leverage sophisticated tradecraft to facilitate their espionage operations, targeting numerous sectors globally.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, APT)