China-linked Silk Typhoon APT targets North America
China-linked Silk Typhoon APT group ramp up North America attacks, exploiting n-day and zero-day flaws for system access, CrowdStrike warns.
China-linked Silk Typhoon APT group (aka Murky Panda) targets organizations in North America exploiting n-day and zero-day flaws for system access, CrowdStrike warns.
This Chinese APT has one of the widest targeting scopes. In March, Microsoft experts observed the group exploiting vulnerabilities opportunistically by swiftly acting on scanning discoveries.
Silk Typhoon targets multiple sectors worldwide, including information technology (IT) services and infrastructure, remote monitoring and management (RMM) companies, managed service providers (MSPs) and affiliates, healthcare, legal services, higher education, defense, government, non-governmental organizations (NGOs), and energy. The group has been active since 2020, they use web shells for command execution and data theft.
Silk Typhoon demonstrates a deep understanding of cloud environments, enabling the group to move laterally, maintain persistence, and exfiltrate data.
“MURKY PANDA heavily relies on exploiting internet-facing appliances to gain initial access and has frequently deployed web shells — including theNeo-reGeorgweb shell frequently used by China-nexus adversaries — to establish persistence. The adversary also has access to the low-prevalence custom malware familyCloudedHope.” reads the report published by CrowdStrike. “The adversary has quickly weaponized n-days and zero-days. They have gained initial access to victim systems by exploiting several vulnerabilities, includingCVE-2023-3519— a vulnerability affecting Citrix NetScaler ADC and NetScaler Gateway.“
The APT group uses SOHO devices as exit nodes to mask activity, leveraging RDP, web shells, and CloudedHope to pivot into cloud networks.
CloudedHope is a Golang-based 64-bit Linux RAT, obfuscated with the open-source tool Garble, supporting anti-analysis checks and decoy actions to evade detection.
Between June and August 2025, CrowdStrike detailed how Silk Typhoon group exploited trusted cloud relationships for stealthy lateral movement to downstream victims. Unlike common initial access methods, such as stolen cloud credentials or public app exploits, this tactic remains under-monitored, enabling prolonged, covert access. In two cases, the group exploited zero-days against SaaS providers, obtaining Entra ID secrets that let them impersonate service principals to access downstream customer emails. In another case, they compromised a Microsoft cloud solution provider, abusing Delegated Administrative Privileges (DAP). With Global Admin rights across tenants, they created a backdoor user, escalated via service principals, and accessed emails while adding persistence. This highlights their focus on intelligence collection through rare cloud-focused TTPs.
“MURKY PANDA poses a significant threat to government, technology, legal, and professional services entities in North America and to their suppliers with access to sensitive information.”concludes the report.
“Organizations that rely heavily on cloud environments are innately vulnerable to trusted-relationship compromises in the cloud. China-nexus adversaries such as MURKY PANDA continue to leverage sophisticated tradecraft to facilitate their espionage operations, targeting numerous sectors globally.”
Follow me on Twitter:@securityaffairsandFacebookandMastodon
(SecurityAffairs–hacking,APT)