Security researchers are warning about a recent wave of cyberattacks from the Chinese government-linked hacker group Silk Typhoon, which has targeted government agencies, technology firms and other organizations in North America in recent years. 

Silk Typhoon has exploited zero-day flaws in Citrix and Commvault products to gain access to the cloud environments of software-as-a-service providers, CrowdStrike said in a blog post on Thursday. 

The group, which CrowdStrike refers to as “Murky Panda,” has exploited flaws in internet-facing appliances and compromised small-office and home-office routers as part of their intrusions, according to the security firm. 

The hackers have exploited multiple critical vulnerabilities, including one, tracked as CVE-2023-3519, that affects Citrix Netscaler ADC and Citrix Gateway, and another, tracked as CVE-2025-3928, that affects Commvault devices.

“What makes this group concerning is its ability to compromise trusted cloud and SaaS relationships to move downstream into customer environments,” Adam Meyers, head of counter adversary operations at CrowdStrike, told Cybersecurity Dive. “We’ve seen them abuse weaknesses in Entra ID service principals and delegated access permissions — effectively turning identity infrastructure into a launchpad.”

In one recent case, a SaaS provider was using Entra ID in order to manage the application’s access to customer data. The hacker gained access to the application registration secret, which allowed the hackers to breach the environments of downstream customers, according to the CrowdStrike blog. 

In another case, the hackers were able to compromise a provider of Microsoft cloud solutions, according to CrowdStrike, which then gave them access to a downstream customer using delegated administrative privileges. 

CrowdStrike encouraged users to patch vulnerabilities, as well as the software in their cloud environments and on their edge devices.