CloudedHope
CloudedHope is a custom malware family used by the China-linked espionage actor Murky Panda, also known as Silk Typhoon and formerly Hafnium. It is described as a Golang-written 64-bit ELF malware for Linux and functions as a basic remote access Trojan (RAT) with remote access functionality. Reporting states it has been used after initial access alongside web shells such as neo-reGeorg, and in some cases with RDP, to support persistence, lateral movement, and information theft. CloudedHope has been associated with campaigns active since at least 2023 targeting North American organizations, including government, technology, academic, legal, and professional services entities. The actor is reported to gain initial access by exploiting internet-facing appliances and rapidly weaponizing N-day and zero-day vulnerabilities, including cited use of Citrix NetScaler ADC/Gateway CVE-2023-3519; some reporting also references Commvault CVE-2025-3928 in related intrusion chains. CloudedHope is specifically characterized as low-prevalence custom Linux malware with anti-analysis and OPSEC features, including modifying timestamps, deleting indicators of presence, and decoy-action behavior. High-confidence behavioral context in the source ties the malware to trusted-relationship and cloud-focused espionage operations in which Murky Panda abused partner or provider access to downstream victims, with a focus on accessing emails.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Other infection pathways include exploitation of known security flaws in Citrix NetScaler ADC and NetScaler Gateway (CVE-2023-3519) and Commvault (CVE-2025-3928).
Other infection pathways include exploitation of known security flaws in Citrix NetScaler ADC and NetScaler Gateway (CVE-2023-3519) and Commvault (CVE-2025-3928).
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Techniques & procedures
2 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique"abusing trusted relationships between partner organizations and their cloud tenants... breach software-as-a-service (SaaS) providers' cloud environments and conduct lateral movement to downstream victims"
Persistence
1 technique"The attacks leverage N-day and zero-day vulnerabilities to drop web shells"
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Golang malware used to facilitate remote access in cloud/enterprise intrusions, deployed alongside web shells after exploitation of vulnerabilities.
Custom Linux-focused remote access trojan used for information theft/espionage, written in Go, with anti-analysis measures and decoy actions when it detects analysis.
Custom Linux remote-access malware used to maintain access and execute remote actions on compromised systems.
A custom 64-bit ELF Golang remote access tool (RAT) with anti-analysis/OPSEC features (e.g., timestamp modification and indicator deletion) to maintain covert access.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.