GENESIS PANDA begins attacks by exploiting exposed services (e.g., Jenkins) and querying Instance Metadata Services (IMDS) on compromised cloud-hosted VMs to harvest credentials. With this access, the actor pivots into the cloud control plane, enabling actions like SSH access to other instances, cloud storage enumeration, and identity-based persistence. The actor regularly deploys malware and creates local users and SSH keys across compute instances. They also use cloud-native command-line tools, custom .NET-based malware, and impersonated cloud service domains for command-and-control (C2) and data exfiltration. Despite operating within compromised environments, GENESIS PANDA tends not to exfiltrate large datasets, reinforcing the assessment that their objective is access brokerage rather than intelligence collection.
Type
Campaign
Actors
Genesis Panda
Pub. date
August 24, 2025
Initial access
Software misconfig
Impact
Data exfiltration
Observed techniques
Exposed resource abuseIMDS abuseCredential theftCreate new cloud user
Targeted technologies
Jenkins
References
http://go.crowdstrike.com/rs/281-OBQ-266/images/Threat-Hunt-Report-2025.pdf
Status
Finalized
Last edited
Aug 25, 2025 1:30 PM