In its report, CrowdStrike highlighted the case of Genesis Panda. Since not less than March 2024, the group has been in a position to make use of cloud providers to assist software deployment, command and management (C2) communications, and exfiltration, focusing on cloud service supplier (CSP) accounts to broaden entry and set up alternate types of persistence. In October 2024, CrowdStrike recognized hands-on keyboard exercise from a Genesis Panda implant working on a cloud compute occasion, seemingly utilizing compromised credentials from cloud VMs to focus on the group’s cloud account.
In early March 2025, CrowdStrike recognized an intrusion during which Genesis Panda obtained credentials to the goal group’s cloud supplier account by querying the occasion metadata service (IMDS) after exploiting a public-facing Jenkins server. The group then added SSH keys and created a backdoor entry key on the cloud service account, later reusing it to regain entry.
One other China group, Murky Panda, targets cloud environments by way of trusted relationships between accomplice organizations and their cloud tenants, notably in North America.
