In its report, CrowdStrike highlighted the case of Genesis Panda. Since at the very least March 2024, the group has been in a position to make use of cloud providers to assist instrument deployment, command and management (C2) communications, and exfiltration, focusing on cloud service supplier (CSP) accounts to develop entry and set up alternate types of persistence. In October 2024, CrowdStrike recognized hands-on keyboard exercise from a Genesis Panda implant operating on a cloud compute occasion, possible utilizing compromised credentials from cloud VMs to focus on the group’s cloud account.
In early March 2025, CrowdStrike recognized an intrusion through which Genesis Panda obtained credentials to the goal group’s cloud supplier account by querying the occasion metadata service (IMDS) after exploiting a public-facing Jenkins server. The group then added SSH keys and created a backdoor entry key on the cloud service account, later reusing it to regain entry.
One other China group, Murky Panda, targets cloud environments by trusted relationships between accomplice organizations and their cloud tenants, significantly in North America.
