← Back to Cybersecurity News Center
Severity
HIGH
CVSS
7.5
Priority
0.955
×
Tip
Pick your view
Analyst for full detail, Executive for the short version.
Analyst
Executive
Executive Summary
CrowdStrike's 2026 Financial Services Threat Landscape Report documents a 43% rise in hands-on-keyboard intrusions against financial institutions over two years, with DPRK-nexus actors attributed to $2.02 billion in cryptocurrency theft and ransomware operators recording a 27% increase in financial sector leak site victims. Three structurally distinct threat categories, nation-state theft, eCrime extortion, and China-nexus espionage, are converging on the financial sector simultaneously, compressing the time security teams have to detect and respond. AI adoption by adversaries is accelerating attack tempo across all three categories, indicating that defenses built around historical dwell times are no longer calibrated to the current threat environment.
Impact Assessment
CISA KEV Status
Not listed
Threat Severity
HIGH
High severity — prioritize for investigation
Actor Attribution
HIGH
MURKY PANDA, DPRK-nexus actors (unspecified)
TTP Sophistication
HIGH
15 MITRE ATT&CK techniques identified
Detection Difficulty
HIGH
Multiple evasion techniques observed
Target Scope
INFO
Financial services organizations broadly; cryptocurrency and fintech platforms; Microsoft 365 environments (MURKY PANDA targeting); insurance entities; legal and financial services firms
Are You Exposed?
⚠
Your industry is targeted by MURKY PANDA, DPRK-nexus actors (unspecified) → Heightened risk
⚠
You use products/services from Financial services organizations broadly; cryptocurrency and fintech platforms; Microsoft 365 environments (MURKY PANDA targeting); insurance entities; legal and financial services firms → Assess exposure
⚠
15 attack techniques identified — review your detection coverage for these TTPs
✓
Your EDR/XDR detects the listed IOCs and TTPs → Reduced risk
✓
You have incident response procedures for this threat type → Prepared
Business Context
Financial institutions face simultaneous pressure from three adversary categories operating with distinct objectives and escalating frequency, with the 43% intrusion increase and $2.02 billion in documented cryptocurrency theft representing measurable, not theoretical, sector-wide losses. For organizations operating in digital assets, fintech, or insurance, the DPRK and eCrime tracks directly threaten operational continuity and customer assets, while the MURKY PANDA espionage campaign poses longer-term competitive and regulatory risk through the silent exfiltration of strategic information from Microsoft 365 environments. The convergence of AI-assisted attack acceleration across all three tracks means that organizations that have not recently stress-tested their detection and response timelines may find their incident response plans calibrated to a threat environment that no longer exists.
You Are Affected If
Your organization operates cryptocurrency exchange, custody, or fintech platform infrastructure targeted by DPRK-nexus actors
Your organization uses Microsoft 365 with delegated access granted to managed service providers, legal counsel, or financial advisors (MURKY PANDA trusted-relationship vector)
Your organization exposes external remote access services (VPN, RDP, Citrix) to the internet (eCrime initial access vector)
Your organization operates in financial services, insurance, or legal and financial services sectors documented in CrowdStrike's reporting as actively targeted
Your software development or deployment pipeline consumes third-party packages or dependencies without integrity verification (CWE-494, CWE-506, DPRK supply chain vector)
Board Talking Points
Hands-on attacks against financial institutions increased 43% over two years, with documented losses of $2.02 billion in cryptocurrency theft attributed to North Korean state actors, representing a measurable and escalating threat to sector-wide financial integrity.
The board should authorize an immediate review of Microsoft 365 third-party access permissions, external remote access controls, and software supply chain integrity processes within the next 30 days, prioritizing the attack surfaces documented in the CrowdStrike 2026 Financial Services Threat Landscape Report.
Organizations that do not address the three documented threat tracks separately risk maintaining defensive postures miscalibrated to actual adversary behavior, increasing the probability of undetected intrusion, regulatory exposure, and financial loss.
FFIEC CAT / GLBA Safeguards Rule: Financial institutions subject to GLBA and FFIEC guidance must demonstrate continuous monitoring, access controls, and incident response capabilities directly addressed in this checklist. The 43% increase in hands-on-keyboard intrusions and documented DPRK nation-state targeting of financial institutions elevates regulatory scrutiny risk. Verify that AU-2, AU-3, AU-11, and AU-4 implementations satisfy FFIEC audit log requirements — human verification with compliance counsel is recommended before certifying control adequacy.
FinCEN / BSA SAR obligations: DPRK-attributed cryptocurrency theft of the scale documented ($2.02 billion) may trigger Suspicious Activity Report filing obligations for affected financial institutions under the Bank Secrecy Act. This is a legal determination — escalate to legal counsel and compliance officers before and during any incident involving suspected DPRK-nexus activity.
SEC Cybersecurity Disclosure Rule (17 CFR 229.106): Publicly traded financial institutions experiencing material cybersecurity incidents from any of the three documented threat tracks may have disclosure obligations under SEC rules. Materiality determination is a legal judgment — escalate to legal counsel. Document incident timelines and control responses using AU-11 retained records to support disclosure accuracy.
Technical Analysis
The CrowdStrike 2026 Financial Services Threat Landscape Report identifies three distinct but concurrent threat tracks targeting financial institutions, each with different objectives, tooling, and defensive requirements.
The DPRK-nexus track centers on cryptocurrency and digital asset theft at scale.
Attributed actors are responsible for $2.02 billion in cryptocurrency theft, with targeting focused on cryptocurrency exchanges, fintech platforms, and digital asset custodians.
The techniques documented map to T1657 (Financial Theft), T1486 (Data Encrypted for Impact), T1566 (Phishing), and T1078 (Valid Accounts), consistent with a pattern of social engineering followed by credential compromise and asset liquidation. CWE-494 (Download of Code Without Integrity Check) and CWE-506 (Embedded Malicious Code) appear as recurring vulnerability classes, suggesting supply chain and software integrity vectors remain active in DPRK-linked campaigns. The state-nexus framing matters operationally: these actors do not follow eCrime incentive structures and are unlikely to be deterred by takedowns targeting criminal infrastructure.
The China-nexus track is represented by MURKY PANDA, which CrowdStrike documents conducting trusted-relationship attacks (T1199 ) against Microsoft 365 cloud environments to conduct economic espionage. Observed techniques include cloud service discovery via T1538 , email collection via T1114 , spearphishing links via T1566.002 , and data archival via T1560 . The trusted-relationship vector, mapped to T1199 , is particularly significant because it exploits legitimate business relationships, managed service providers, legal counsel, or financial advisors with cloud tenant access, rather than forcing entry through perimeter controls. CWE-287 (Authentication Failures) is the underlying weakness class, pointing to gaps in conditional access policy, multi-tenant trust boundaries, and third-party access governance in M365 environments. The espionage objective, consistent with CrowdStrike's broader China-nexus attribution methodology, is economic intelligence rather than disruption, meaning affected organizations may not observe obvious operational impact during the intrusion window.
The eCrime track shows a 27% increase in financial sector victims on ransomware leak sites, with hands-on-keyboard intrusion volume up 43% across the two-year reporting period. Techniques documented include external remote services (T1133 ), valid account abuse (T1078 ), scripting interpreter execution (T1059 ), lateral movement via remote services (T1021 ), and supply chain compromise (T1195.002 ). DLL hijacking (T1574.001 ) appears in the technique set, indicating post-access persistence and defense evasion tradecraft consistent with sophisticated ransomware affiliate operations. The 43% intrusion increase combined with the 27% leak site increase suggests operators are both gaining access more frequently and converting intrusions to extortion outcomes at an increasing rate.
AI acceleration is assessed as a cross-cutting factor. CrowdStrike's reporting indicates adversaries are using AI to compress the timeline between initial access and mission execution, reducing the detection and response window available to defenders. The compression of dwell time has been documented in recent CrowdStrike reporting, and AI-assisted reconnaissance and lure generation (T1598.003 ) extend the reach of all three threat categories simultaneously.
The defensive implication is that these three tracks require distinct response postures. DPRK targeting demands software supply chain integrity controls and digital asset platform hardening. MURKY PANDA activity demands M365 conditional access hardening, third-party access audits, and cloud audit log coverage. eCrime operators demand endpoint detection coverage, external access control, and lateral movement detection. A unified 'financial sector' defensive posture that does not account for these distinctions will be miscalibrated for at least two of the three tracks at any given time.
Action Checklist IR ENRICHED
Triage Priority:
URGENT
Escalate immediately to CISO and legal counsel if M365 UAL review surfaces any of the following: new delegated admin relationships not authorized through change management, service principal credential additions outside normal provisioning windows, or cross-tenant application consent events — any of these represent active MURKY PANDA indicators requiring incident declaration under NIST 800-61r3 §3 (DE.AE-08); additionally, escalate if any cryptocurrency hot wallet or signing key access is detected outside of authorized operational windows, as this may trigger FinCEN SAR filing obligations under 31 U.S.C. § 5318(g) and CISA breach notification coordination.
1
Step 1: Containment — Enumerate all external-facing remote access services (VPN, RDP) and immediately enforce MFA on each; revoke any delegated admin or third-party tenant access in Microsoft Entra ID that cannot be verified against a documented business purpose. Terminate unverified external system relationships per AC-20 terms and conditions requirements before restoring any access. (Cite: NIST AC-17 Remote Access / NIST AC-20 Use Of External Systems / CIS 6.3 Require MFA for Externally-Exposed Applications / CIS 6.4 Require MFA for Remote Network Access / D3-MFA Multi-factor Authentication)
IR Detail
Preparation
NIST 800-61r3 §2 — Preparation: establishing IR capability and identifying organizational attack surface before incidents occur
NIST IR-4 (Incident Handling) — establish handling capability scoped to the three identified threat tracks
NIST IR-8 (Incident Response Plan) — ensure the plan explicitly addresses cryptocurrency infrastructure, M365 delegated access, and external remote access as distinct scenarios
NIST RA-3 (Risk Assessment) — formally document DPRK digital asset targeting, MURKY PANDA third-party trust abuse, and eCrime T1133 exploitation as prioritized risk scenarios
CIS 1.1 (Establish and Maintain Detailed Enterprise Asset Inventory) — inventory must tag assets by category: crypto custody nodes, M365 tenants with delegated admin relationships, and internet-facing RDP/VPN endpoints
CIS 7.1 (Establish and Maintain a Vulnerability Management Process) — scope the vulnerability management process to explicitly include third-party MSP access reviews and external remote access services
Compensating Control
Run a PowerShell query against Azure AD to enumerate all delegated admin relationships: `Get-MsolPartnerInformation` and `Get-MsolCompanyInformation` (requires MSOnline module). For external remote access, use Shodan's free tier to search your ASN for exposed RDP (port 3389) and common VPN ports (4443, 8443, 10443). For crypto infrastructure, manually enumerate all wallet signing services, hot wallet APIs, and exchange connector endpoints in a spreadsheet, tagging each with its internet exposure status.
Preserve Evidence
Before scoping begins, snapshot the current state of your Microsoft 365 Unified Audit Log (UAL) to establish a baseline — specifically export the last 90 days of `Add delegated permission` and `Add app role assignment to service principal` operations via the UAL search (`auditLogSearch` under compliance.microsoft.com). Capture Shodan/Censys export of your organization's externally exposed services as a point-in-time reference. For crypto platforms, preserve the current list of authorized signing keys and wallet access credentials in escrow before any changes are made.
2
Step 2: Detection — Audit Microsoft 365 Unified Audit Log for mailbox access by service principals or delegated accounts outside business hours or from anomalous geographies (T1114); review audit logs for bulk tenant resource enumeration beyond granted permissions (T1538); verify EDR lateral movement telemetry generates records with actor identity, timestamp, source, and destination per AU-3 content requirements for T1021 activity; confirm DLL load events are captured for T1574.001 detection; apply D3-LAM to analyze local account activity for unauthorized access patterns. (Cite: NIST AU-2 Event Logging / NIST AU-3 Content Of Audit Records / NIST AU-6 Audit Record Review, Analysis, And Reporting / CIS 8.2 Collect Audit Logs / D3-LAM Local Account Monitoring / D3-SFA System File Analysis)
IR Detail
Preparation
NIST 800-61r3 §2 — Preparation: acquiring tools, establishing logging, and hardening systems to support detection and response across all three threat tracks
NIST SI-2 (Flaw Remediation) — for DPRK track, apply to software supply chain integrity: verify all code packages deployed to financial platforms are signed and hash-verified against vendor manifests (CWE-494 untrusted code download, CWE-506 embedded malicious code)
NIST SI-7 (Software, Firmware, and Information Integrity) — deploy integrity verification for all executables and libraries on cryptocurrency custody and fintech platform hosts
NIST SI-4 (System Monitoring) — for MURKY PANDA track, confirm Unified Audit Log is enabled at E3/E5 level with 180-day minimum retention; for eCrime track, confirm EDR lateral movement telemetry covers T1021 (SMB, WMI, RDP-based movement)
NIST AC-17 (Remote Access) — enforce MFA on all VPN and RDP endpoints to close the T1133/T1078 initial access vector used by eCrime operators
NIST CM-7 (Least Functionality) — enforce DLL search order hardening via registry key `HKLM\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode = 1` to mitigate T1574.001
CIS 6.3 (Require MFA for Externally-Exposed Applications) — MFA enforcement on all VPN and RDP endpoints is a foundational IG1 control directly closing the eCrime T1133 vector
CIS 6.5 (Require MFA for Administrative Access) — MURKY PANDA leverages delegated admin relationships; MFA on all admin accounts in M365 limits the blast radius of compromised MSP credentials
CIS 8.2 (Collect Audit Logs) — Unified Audit Log enablement for M365 is the minimum required to detect MURKY PANDA tenant enumeration and delegated permission abuse
Compensating Control
DPRK track — use free FOSSA or in-house scripting (`sha256sum` on Linux, `Get-FileHash` in PowerShell) to hash all deployed financial platform binaries against vendor-published manifests; run weekly as a cron job or scheduled task. MURKY PANDA track — use the free Microsoft 365 Secure Score portal and export delegated admin relationships via `Get-MsolPartnerContract | Export-CSV`. Confirm UAL is active via Security & Compliance Center > Audit > Start recording. eCrime track — deploy Sysmon with the SwiftOnSecurity config to capture process creation (Event ID 1), network connections (Event ID 3), and DLL image loads (Event ID 7) on all hosts with RDP/VPN exposure; forward to Windows Event Forwarding (WEF) for centralized collection at no cost.
Preserve Evidence
DPRK: Capture current file hashes of all executables and libraries on cryptocurrency platform hosts using `Get-FileHash -Algorithm SHA256 -Path C:\AppDir\* -Recurse | Export-CSV` before any patching, to establish a pre-change baseline for comparison if trojanized code (CWE-506) is later suspected. MURKY PANDA: Export the full Microsoft 365 Unified Audit Log for the past 90 days, filtering on operations `Add delegated permission`, `Consent to application`, `Add service principal credentials`, and `Update application` — these are the artifact classes MURKY PANDA activity generates in M365 audit trails. eCrime: Before hardening RDP/VPN, capture Sysmon Event ID 3 (network connection) logs and Windows Security Event Log Event ID 4624 (successful logon, logon type 10 = RemoteInteractive) to document the current remote access baseline.
3
Step 3: Eradication — For the DPRK track: audit and verify integrity of all software deployed to financial and cryptocurrency platforms against known-good baselines using D3-FMBV file magic byte verification; remove or quarantine unauthorized software per CIS 2.3; for the MURKY PANDA track: terminate all delegated admin relationships with excessive permissions and enforce AC-6 least-privilege on remaining third-party application identities; revoke access per CIS 6.2 for any relationship lacking documented business justification; for the eCrime track: rotate credentials on all accounts with confirmed or suspected exposure using D3-CRO, harden DLL search order configurations using D3-CH, and disable dormant accounts per CIS 5.3 after 45-day inactivity threshold. (Cite: NIST AC-6 Least Privilege / NIST AC-2 Account Management / CIS 2.1 Establish and Maintain a Software Inventory / CIS 2.3 Address Unauthorized Software / CIS 5.3 Disable Dormant Accounts / CIS 6.2 Establish an Access Revoking Process / D3-CRO Credential Rotation / D3-CH Credential Hardening / D3-FMBV File Magic Byte Verification)
IR Detail
Preparation
NIST 800-61r3 §2 — Preparation: updating organizational threat models and exercising IR capability against realistic threat scenarios including reduced detection windows
NIST IR-8 (Incident Response Plan) — the IR plan must be updated to include MURKY PANDA trusted-relationship intrusion as a named scenario with M365 delegated access as the attack path, and DPRK cryptocurrency theft as a named scenario with wallet exfiltration as the impact
NIST IR-3 (Incident Response Testing) — tabletop exercises must incorporate AI-accelerated attack tempo as a variable, explicitly compressing the assumed time between initial access and impact to reflect CrowdStrike's documented reduction in dwell time
NIST RA-3 (Risk Assessment) — formally register MURKY PANDA (MITRE ATT&CK T1199 — Trusted Relationship) and DPRK cryptocurrency theft (MITRE ATT&CK T1657 — Financial Theft) as prioritized threat scenarios with likelihood and impact ratings
CIS 7.1 (Establish and Maintain a Vulnerability Management Process) — the threat register update must feed the vulnerability management process so MURKY PANDA-relevant M365 misconfigurations and DPRK-relevant software integrity gaps are prioritized in remediation queues
Compensating Control
Use the free MITRE ATT&CK Navigator (https://mitre-attack.github.io/attack-navigator/) to build a layer file annotating MURKY PANDA techniques (T1199 Trusted Relationship, T1078.004 Cloud Accounts, T1114 Email Collection) and DPRK techniques (T1195 Supply Chain Compromise, T1657 Financial Theft, T1553 Subvert Trust Controls) against your current detective controls, producing a visual gap map at no cost. Use this output as the threat register artifact. For tabletop exercises, use CISA's free Tabletop Exercise Package (CTEP) framework and inject an AI-accelerated timeline by halving assumed dwell times in all decision points.
Preserve Evidence
Prior to updating the threat model, collect any existing threat intelligence already held by the organization: previous CrowdStrike or vendor threat intel reports, prior CISA advisories on DPRK cryptocurrency theft (e.g., AA22-108A, AA23-049A), and any historical M365 UAL anomalies involving delegated admin operations. These form the evidential basis for the threat model entries and support risk rating justification during audit or regulatory review.
4
Step 4: Recovery — Verify conditional access policies enforce device compliance and location restrictions for all third-party and remote access before restoring delegated access per AC-3 and AC-20; confirm AU-4 audit log storage is sized to retain the full intrusion window and AU-11 retention periods are set per organizational records retention policy; validate all restored accounts have MFA re-enrolled per CIS 6.5 and that administrator accounts are separated from general-use accounts per CIS 5.4; confirm account inventory is updated per CIS 5.1 to reflect all changes made during eradication. (Cite: NIST AC-3 Access Enforcement / NIST AC-20 Use Of External Systems / NIST AU-4 Audit Storage Capacity / NIST AU-11 Audit Record Retention / CIS 5.1 Establish and Maintain an Inventory of Accounts / CIS 5.4 Restrict Administrator Privileges to Dedicated Administrator Accounts / CIS 6.5 Require MFA for Administrative Access / D3-UAP User Account Permissions)
IR Detail
Preparation
NIST 800-61r3 §2 — Preparation: establishing communication structures and ensuring organizational leadership is briefed on threat-specific risk prior to incident declaration
NIST IR-6 (Incident Reporting) — internal reporting structures must be established so CISO and business leaders receive threat-track-specific briefings mapped to organizational exposure, not generic sector alerts
NIST IR-7 (Incident Response Assistance) — identify in advance which external parties (FS-ISAC, CrowdStrike IR retainer, CISA CISA Services) would be engaged per threat track, and communicate those escalation paths to leadership
NIST IR-8 (Incident Response Plan) — the communication plan within the IR plan must specify different notification chains for a DPRK cryptocurrency theft event (likely requiring Treasury/FinCEN notification) versus a MURKY PANDA espionage intrusion versus a ransomware extortion event
CIS 7.2 (Establish and Maintain a Remediation Process) — leadership briefings must result in a prioritized, track-specific remediation commitment with documented timelines, not a generic awareness acknowledgment
Compensating Control
Prepare a one-page executive briefing template with three sections (one per threat track) using the FS-ISAC TLP:WHITE reporting format. Populate the DPRK section with the $2.02B theft figure and applicable CISA advisory references. Populate the MURKY PANDA section with M365 UAL findings from the control review step. Populate the eCrime section with current MFA enforcement gaps and EDR coverage percentage from the asset inventory. Deliver as a PDF with a signature line to create a documented acknowledgment record — critical for regulatory defensibility under DORA, SEC cybersecurity disclosure rules, or OCC examination.
Preserve Evidence
Before the briefing, compile the following as supporting exhibits: (1) output of the M365 delegated admin relationship export showing all active third-party tenant trust configurations, (2) the asset inventory excerpt showing cryptocurrency custody/exchange infrastructure scope, (3) the Shodan/Censys export of externally exposed remote access services with MFA enforcement status annotated. These are the organization-specific data points that differentiate this briefing from a generic sector report and demonstrate due diligence if regulatory inquiry follows.
5
Step 5: Post-Incident — Update the threat register to include the MURKY PANDA trusted-relationship intrusion pattern (T1199) and DPRK digital asset targeting as documented threat scenarios; incorporate AI-accelerated attack tempo as a factor reducing assumed detection windows in tabletop exercises; brief the CISO on which of the three threat tracks applies based on assessed exposure, citing the CrowdStrike-documented 43% increase in hands-on-keyboard intrusions and 27% ransomware victim increase as sector benchmarks; establish a recurring process per AU-13 to monitor open-source information and CISA advisories for updated DPRK cryptocurrency theft and MURKY PANDA indicators; apply D3-ODM to map operational dependencies that intersect with identified third-party and supply chain risk vectors (T1195.002, T1199). (Cite: NIST AC-1 Policy And Procedures / NIST AU-13 Monitoring For Information Disclosure / CIS 7.1 Establish and Maintain a Vulnerability Management Process / CIS 7.2 Establish and Maintain a Remediation Process / D3-ODM Operational Dependency Mapping)
IR Detail
Post-Incident
NIST 800-61r3 §4 — Post-Incident Activity: using threat intelligence and lessons learned to improve detection capability and update organizational defenses on an ongoing basis
NIST SI-5 (Security Alerts, Advisories, and Directives) — formally subscribe to CISA advisories, FS-ISAC feeds, and CrowdStrike intelligence publications; assign a named owner responsible for triaging and distributing DPRK and MURKY PANDA-specific publications
NIST IR-4 (Incident Handling) — update incident handling procedures whenever new MURKY PANDA technique refinements or DPRK TTPs are published, without waiting for a full annual IR plan review cycle
NIST AU-6 (Audit Record Review, Analysis, and Reporting) — establish a recurring M365 UAL review cadence (minimum monthly) specifically hunting for MURKY PANDA-associated operations: new delegated permissions, service principal credential additions, and cross-tenant application consents
CIS 7.1 (Establish and Maintain a Vulnerability Management Process) — integrate CISA KEV (Known Exploited Vulnerabilities) catalog monitoring and DPRK/MURKY PANDA advisory feeds into the vulnerability management process as standing input sources
Compensating Control
Subscribe to CISA's free email alert service (cisa.gov/subscribe-updates-cisa) and FS-ISAC's free TLP:WHITE feed for financial sector threat intelligence. Create a free MITRE ATT&CK Navigator saved layer for MURKY PANDA and DPRK techniques and update it each time a new advisory is published, using the delta to identify new detection gaps. For M365 hunting, use a scheduled PowerShell script running `Search-UnifiedAuditLog -Operations 'Add delegated permission','Add service principal credentials','Consent to application' -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date)` weekly to surface MURKY PANDA-relevant activity without a SIEM.
Preserve Evidence
Maintain a running intelligence log documenting each new CISA DPRK advisory (e.g., updates to AA22-108A series), each CrowdStrike MURKY PANDA publication, and each regulatory guidance issuance, with a dated entry recording what was reviewed, what changed in the threat landscape, and what organizational action was taken in response. This log serves as the primary evidence of ongoing due diligence under NIST IR-5 (Incident Monitoring) and supports regulatory examination defense under DORA Article 17 or OCC Heightened Standards if the organization is later subject to inquiry following a sector-level incident.
Recovery Guidance
For any confirmed MURKY PANDA or DPRK intrusion, recovery must include full revocation and re-provisioning of all M365 delegated admin relationships and service principal credentials — not just the compromised ones — because MURKY PANDA's persistence model involves establishing multiple redundant trust relationships that may not all surface during initial investigation (NIST 800-61r3 §3.5 — Recovery). For cryptocurrency theft incidents, coordinate with the blockchain analytics firms (Chainalysis, TRM Labs) used by FBI and Treasury to trace fund movement before any public disclosure, as premature disclosure can accelerate laundering through mixers. Monitor M365 UAL daily for a minimum of 90 days post-remediation, with specific attention to re-appearance of revoked service principal credentials or new delegated admin invitations from previously identified MSP or third-party tenants.
Key Forensic Artifacts
Microsoft 365 Unified Audit Log — filter on operations 'Add delegated permission', 'Add service principal credentials', 'Consent to application', 'Update application', and 'Add member to role' for the past 90 days; these are the specific UAL event types generated by MURKY PANDA's technique of abusing third-party delegated admin relationships to establish persistent M365 access
Azure AD Sign-In Logs and Conditional Access audit logs — specifically entries showing successful authentications from service principal identities or partner tenant identities outside of expected geographic locations or outside business hours, which represent MURKY PANDA operational tradecraft for avoiding detection during tenant enumeration (MITRE T1078.004 — Valid Accounts: Cloud Accounts)
Blockchain transaction records and hot wallet access logs from cryptocurrency custody platforms — specifically any unsigned or anomalously-signed transactions, API key usage events outside authorized windows, and wallet drain sequences consistent with DPRK's documented technique of accessing custody platforms via trojanized software updates (CWE-494) and then exfiltrating private keys before initiating bulk transfers
Windows Security Event Log Event ID 4624 (logon type 10 — RemoteInteractive) and Event ID 4625 (failed logon) on all internet-facing RDP and VPN gateway hosts — these are the primary authentication artifacts for eCrime T1133 (External Remote Services) and T1078 (Valid Accounts) initial access, and a spike in 4625 events followed by a successful 4624 from the same external IP is the canonical brute-force-to-access pattern used by ransomware operators targeting financial sector remote access
Sysmon Event ID 7 (Image Loaded) logs on financial platform hosts — filter for DLL load events where the loaded DLL path does not match the application's expected installation directory, which is the primary forensic indicator of T1574.001 (DLL Search Order Hijacking) used by eCrime operators for persistence and privilege escalation after initial access via T1133
Detection Guidance
Detection priorities differ by threat track and must be scoped to the log sources and behavioral indicators specific to each.
MURKY PANDA / M365 espionage (T1114 , T1538 , T1560 , T1199 ): Enable and retain the Microsoft 365 Unified Audit Log per NIST AU-2 Event Logging and CIS 8.2 Collect Audit Logs.
Query for mailbox access by service principals or delegated accounts outside normal business hours or from geographies inconsistent with the organization's operating profile.
Per NIST AU-3 Content Of Audit Records, each event must capture actor identity, timestamp, source IP, and resource accessed — flag any record missing these fields as an audit gap. Hunt for T1538 cloud service discovery: bulk enumeration of tenant users, groups, or resources by third-party application identities beyond permissions documented in their business justification. Audit all delegated admin relationships in Microsoft Entra ID against NIST AC-20 Use Of External Systems — any relationship without documented terms and conditions is a detection priority. Apply D3-LAM Local Account Monitoring to analyze service account and delegated identity activity for access patterns inconsistent with their defined scope. Apply D3-SFA System File Analysis to detect unauthorized modification of authentication configurations and M365 service configurations consistent with T1560 collection staging.
DPRK cryptocurrency theft (T1195.002 , T1574.001 , T1059 , T1566 ): Enable DLL load event logging on endpoints supporting cryptocurrency and digital asset platforms. Hunt for T1574.001 DLL search order hijacking by monitoring for DLL loads from non-standard paths or by processes without a documented software inventory entry per CIS 2.1. Apply D3-FMBV File Magic Byte Verification to validate integrity of software deployed to exchange and custody platforms — flag any binary whose magic bytes do not match its declared file type. For T1195.002 supply chain compromise, cross-reference all third-party software updates against CIS 2.1 inventory and CIS 2.2 supported software status before deployment. Apply D3-SFA to monitor system executables and configuration files for unauthorized modification consistent with pre-positioned access. Alert on T1059 script interpreter execution from processes associated with financial platform software — this is anomalous and warrants immediate triage. Review AU-6 audit records at increased frequency for these platforms given the documented targeting pattern.
eCrime ransomware and extortion (T1486 , T1078 , T1021 , T1566 , T1566.002 , T1657 , T1133 ): Monitor AU-2 event logs for T1078 valid account abuse — focus on accounts active outside their established usage pattern, logins from new endpoints, or privilege escalation events. Apply D3-LAM to detect local account creation or modification not initiated through the CIS 6.1 access granting process. For T1133 external remote service abuse, verify all VPN and RDP authentication events generate AU-3 compliant records and alert on authentication from IP ranges not associated with the organization's documented remote access population. Apply D3-CH Credential Hardening detections to identify accounts with weak or reused credentials per CIS 5.2. Hunt T1021 lateral movement by correlating successful authentication events across internal systems — flag any account authenticating to more than a defined threshold of internal hosts within a short window. For T1566 and T1566.002 phishing precursors, monitor email gateway logs per AU-2 for attachment and link delivery patterns consistent with documented eCrime lure techniques targeting financial sector personnel.
Cross-track logging integrity: Confirm AU-4 audit log storage capacity is allocated to accommodate the full intrusion window for each track — hands-on-keyboard intrusions may span days or weeks. Confirm AU-11 retention periods meet organizational records retention policy minimums. Alert on AU-5 audit logging process failures immediately — any gap in log availability during an active investigation is a critical control failure. Apply AU-9 protections to prevent adversary tampering with audit records, which is a documented behavior in long-dwell intrusions.
Indicators of Compromise (1)
Export as
Splunk SPL
KQL
Elastic
Copy All (1)
1 tool
Type Value Enrichment Context Conf.
⚙ TOOL
Pending — refer to CrowdStrike 2026 Financial Services Threat Landscape Report and MURKY PANDA blog post for published indicators
CrowdStrike's reporting references specific MURKY PANDA indicators, DPRK-linked payload hashes, and eCrime infrastructure; the actual IOC values are not reproduced in the source material provided. Retrieve indicators directly from the CrowdStrike Adversary Intelligence portal or the published blog posts listed in the source URLs.
LOW
Platform Playbooks
Microsoft Sentinel / Defender
CrowdStrike Falcon
AWS Security
🔒
Microsoft 365 E3
3 log sources
Basic identity + audit. No endpoint advanced hunting. Defender for Endpoint requires separate P1/P2 license.
🛡
Microsoft 365 E5
18 log sources
Full Defender suite: Endpoint P2, Identity, Office 365 P2, Cloud App Security. Advanced hunting across all workloads.
🔍
E5 + Sentinel
27 log sources
All E5 tables + SIEM data (CEF, Syslog, Windows Security Events, Threat Intelligence). Analytics rules, playbooks, workbooks.
IOC Detection Queries (1)
Known attack tool — NOT a legitimate system binary. Any execution is suspicious.
KQL Query Preview
Read-only — detection query only
// Threat: Financial Sector Under Compound Pressure: Nation-State Theft, eCrime Escalation,
// Attack tool: Pending — refer to CrowdStrike 2026 Financial Services Threat Landscape Report and MURKY PANDA blog post for published indicators
// Context: CrowdStrike's reporting references specific MURKY PANDA indicators, DPRK-linked payload hashes, and eCrime infrastructure; the actual IOC values are not reproduced in the source material provided. Ret
DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName =~ "Pending — refer to CrowdStrike 2026 Financial Services Threat Landscape Report and MURKY PANDA blog post for published indicators"
or ProcessCommandLine has "Pending — refer to CrowdStrike 2026 Financial Services Threat Landscape Report and MURKY PANDA blog post for published indicators"
or InitiatingProcessCommandLine has "Pending — refer to CrowdStrike 2026 Financial Services Threat Landscape Report and MURKY PANDA blog post for published indicators"
| project Timestamp, DeviceName, FileName, FolderPath,
ProcessCommandLine, AccountName, AccountDomain,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
MITRE ATT&CK Hunting Queries (6)
Sentinel rule: Supply chain / cross-tenant access
KQL Query Preview
Read-only — detection query only
SigninLogs
| where TimeGenerated > ago(7d)
| where HomeTenantId != ResourceTenantId
| project TimeGenerated, UserPrincipalName, AppDisplayName, IPAddress, Location, HomeTenantId, ResourceTenantId
| sort by TimeGenerated desc
Sentinel rule: Ransomware activity
KQL Query Preview
Read-only — detection query only
DeviceFileEvents
| where Timestamp > ago(7d)
| where ActionType == "FileRenamed"
| where FileName endswith_any (".encrypted", ".locked", ".crypto", ".crypt", ".enc", ".ransom")
| summarize RenamedFiles = count() by DeviceName, InitiatingProcessFileName, bin(Timestamp, 5m)
| where RenamedFiles > 20
| sort by RenamedFiles desc
Sentinel rule: Suspicious PowerShell command line
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| where ProcessCommandLine has_any ("-enc", "-nop", "bypass", "hidden", "downloadstring", "invoke-expression", "iex", "frombase64", "new-object net.webclient")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Phishing email delivery
KQL Query Preview
Read-only — detection query only
EmailEvents
| where Timestamp > ago(7d)
| where ThreatTypes has "Phish" or DetectionMethods has "Phish"
| summarize Attachments = make_set(AttachmentCount), Urls = make_set(UrlCount) by NetworkMessageId, Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, DeliveryAction, DeliveryLocation, ThreatTypes
| sort by Timestamp desc
Sentinel rule: Sign-ins from unusual locations
KQL Query Preview
Read-only — detection query only
SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType == 0
| summarize Locations = make_set(Location), LoginCount = count(), DistinctIPs = dcount(IPAddress) by UserPrincipalName
| where array_length(Locations) > 3 or DistinctIPs > 5
| sort by DistinctIPs desc
Sentinel rule: Lateral movement via RDP / SMB / WinRM
KQL Query Preview
Read-only — detection query only
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in (3389, 5985, 5986, 445, 135)
| where LocalIP != RemoteIP
| summarize ConnectionCount = count(), TargetDevices = dcount(RemoteIP) by DeviceName, InitiatingProcessFileName
| where ConnectionCount > 10 or TargetDevices > 3
| sort by TargetDevices desc
No actionable IOCs for CrowdStrike import (benign/contextual indicators excluded).
No hard IOCs available for AWS detection queries (contextual/benign indicators excluded).
Compliance Framework Mappings
T1199
T1486
T1114
T1598.003
T1059
T1566
+9
CP-9
CP-10
CM-7
SI-3
SI-4
SI-7
+16
164.312(d)
164.308(a)(7)(ii)(A)
MITRE ATT&CK Mapping
T1199
Trusted Relationship
initial-access
T1486
Data Encrypted for Impact
impact
T1114
Email Collection
collection
T1059
Command and Scripting Interpreter
execution
T1566
Phishing
initial-access
T1078
Valid Accounts
defense-evasion
T1560
Archive Collected Data
collection
T1021
Remote Services
lateral-movement
T1657
Financial Theft
impact
T1538
Cloud Service Dashboard
discovery
T1195.002
Compromise Software Supply Chain
initial-access
T1133
External Remote Services
persistence
Guidance Disclaimer
