Silk Typhoon (a.k.a Murky Panda) achieves initial access primarily through exploiting internet-facing appliances (e.g., Citrix NetScaler ADC, CVE-2023-3519) and has also been observed compromising SOHO devices to mask activity. Once inside, the adversary deploys web shells such as Neo-reGeorg and maintains persistence using a Golang-based malware family called CloudedHope, which provides RAT capabilities and includes anti-analysis and obfuscation measures.
Their most notable technique involves trusted-relationship compromises in the cloud. Silk Typhoon exploited SaaS providers and Microsoft cloud solution providers, abusing Entra ID application registrations and delegated administrative privileges (DAP/GDAP). By hijacking service principal secrets or Global Administrator accounts in upstream providers, they were able to pivot into downstream customer environments, escalate privileges, and access sensitive data such as email.