top of page
Search

CrowdStrike 2025 Threat Hunting Report – Part 6: Cloud Hunting

  • Writer: Katarzyna Celińska
    Katarzyna Celińska
  • Aug 28
  • 2 min read

In 2025, attackers are deeply embedded in cloud ecosystems, abusing infrastructure, services, and identity at scale. The report details how groups like MURKY PANDA and GENESIS PANDA weaponize the cloud control plane to conduct espionage, persistence, and command-and-control operations.

 

Cloud Intrusions

In the first half of 2025, cloud intrusions increased 136% compared to all of 2024. China-nexus adversaries alone accounted for a 40% YoY increase in cloud-related intrusions. Attackers are mastering cloud exploitation, often blending identity abuse, SaaS persistence, and cloud-native services into their operations.

 

MITREATTACK

The most common techniques observed across cloud campaigns include:

Initial Access – Valid accounts, supply chain compromise, public-facing application exploits

Execution – Cloud instance commands, exploitation of orchestration services

Persistence – Account manipulation, rogue IAM roles, cloud storage objects

Privilege Escalation – Abusing misconfigured IAM permissions, bypassingMFA

Defense Evasion – Indicator removal, modifying firewall or cloud logs

Command & Control – Proxy services, use of cloud storage for staging payloads

Both MURKY PANDA and GENESIS PANDA frequently abuse cloud identity roles and misconfigured storage to remain undetected.

 

ree

Cloud Operations

From March 2024 to March 2025, GENESIS PANDA ran a year-long campaign weaponizing the cloud control plane:

Queried IMDS for credentials

Accessed the cloud control plane for lateral movement

Used C2 domains and cloud storage for infrastructure

Established persistence via rogue identity-based access

Hosted payloads directly on cloud infrastructure for exfiltration and C2

 

What stood out to me in this section is how attackers now weaponize the cloud control plane itself—something defenders once considered a neutral layer. Attackers exploit cloud-native tools, abuse identity roles, and transform SaaS platforms into attack infrastructure. For defenders, this means cloud hunting must evolve beyond configuration checks. It requires correlating identity, storage, and orchestration activity across the entire cloud fabric.


 
 
 

Comments

Stay in touch

kontakt@itgrc.pl

BW ADVISORY sp. z o.o. 

ul. Boczańska 25
03-156 Warszawa
NIP: 525-281-83-52

Privacy policy

  • LinkedIn
  • Youtube
bottom of page