Tags
State-Sponsored
Attribution
🇨🇳
Incidents
GENESIS PANDA's Cloud Intrusions: Persistent Control Plane Exploitation and Access Brokerage
References
https://go.crowdstrike.com/rs/281-OBQ-266/images/Threat-Hunt-Report-2025.pdf
Last edited
Aug 25, 2025 1:26 PM
Status
Finalized
Cloud-fluent
Targeted industries
TelecommunicationFinanceHigh-techTechnological
Since at least March 2024, the threat actor known as GENESIS PANDA has been actively leveraging cloud service provider (CSP) environments for initial access, lateral movement, persistence, and command-and-control operations. Operating across sectors such as finance, telecom, tech, and media in at least 11 countries, GENESIS PANDA is assessed to act as an initial access broker. Their activity is marked by strategic exploitation of web-facing infrastructure, use of cloud-native tools, and the establishment of layered persistence mechanisms in cloud environments.