The China-linked cyber espionage group Mustang Panda has launched 2 campaigns targeting Indian government organisations and the hydropower sector by using Zoho WorkDrive as a command-and-control channel. According to Acronis Threat Research Unit, the attackers deployed new malware while disguising malicious activity as legitimate cloud traffic to avoid detection.
Researchers found active compromises within Indian government networks, including systems used by senior administrative officials, and worked with CERT-In to notify affected organisations and support remediation efforts.
The campaign uses Zoho WorkDrive, a cloud storage platform widely used across India’s government sector, to receive attacker commands and exfiltrate stolen data. By leveraging a trusted cloud service, the malicious traffic blends with normal network activity, making it more difficult to identify.
Acronis identified 3 new malware tools used in the attacks. SHARDLOADER acts as a loader by sideloading a malicious DLL through legitimate signed applications, including Solid PDF Creator and Citrix Receiver, before deploying malware. MINIRECON, an updated version of the Toneshell backdoor, communicates through encrypted WebSocket connections over HTTPS. The newly discovered ZOHOMURK malware contains hardcoded Zoho OAuth credentials and uses an attacker-controlled WorkDrive account to receive commands and upload stolen data.
According to the report, both campaigns were delivered through spear-phishing emails containing ZIP archives with hidden malicious DLL files. The phishing lures referenced hydropower cooperation proposals and a memorandum of understanding involving Indian and Taiwanese institutions, suggesting the attackers were seeking intelligence related to India’s hydropower projects and defence ties with Taiwan.
Acronis attributed the activity to Mustang Panda with high confidence based on reused malware techniques, infrastructure overlaps, code similarities and operational mistakes such as hardcoded credentials and reused identifiers. Active malware communications were observed between June 12 and June 22, 2026.
Researchers said there is no software patch for this attack. Instead, organisations should focus on detecting phishing attempts, monitoring suspicious cloud API activity, identifying DLL sideloading from signed applications and tracking indicators of compromise published by Acronis. Government agencies and energy organisations have been advised to remain alert for geopolitically themed phishing campaigns and unusual endpoint access to cloud services.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream LinkedIn | The Mainstream Facebook | The Mainstream Youtube | The Mainstream Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.