The China-aligned espionage group Mustang Panda has been linked to two active cyber-espionage campaigns targeting Indian government networks and hydropower-related organizations. The attacks involve newly developed malware families and the abuse of a legitimate cloud service to secretly manage command-and-control operations.
Security researchers at Acronis Threat Research Unit report confirmed compromises inside Indian government systems, including devices used by senior administrative personnel. The findings were shared in coordination with CERT-In for mitigation and cleanup efforts.
Cloud Services Abused for Stealth Command Control
At the center of the operation is the abuse of Zoho WorkDrive, a cloud storage platform widely used across India’s public sector.
Instead of relying on traditional malicious infrastructure, the attackers use WorkDrive as a covert communication channel. This allows them to issue commands and extract stolen data while blending in with normal enterprise cloud traffic, making detection significantly more difficult.
Three Custom Malware Tools Identified
Researchers identified three previously undocumented malware components used in the campaign:
SHARDLOADER – Malicious DLL Loader
SHARDLOADER is a loader that executes through DLL sideloading, abusing legitimate signed software such as Solid PDF Creator in one campaign variant and Citrix Receiver in another.
Once executed, it deploys additional malicious payloads onto the infected system.
MINIRECON – WebSocket-Based Backdoor
MINIRECON is an updated variant of the previously known Toneshell backdoor. It communicates using encrypted WebSocket connections over HTTPS, enabling persistent remote access and stealthy command execution.
ZOHOMURK – Cloud-Based Command Backdoor
ZOHOMURK is the most notable new component. It contains hardcoded Zoho OAuth credentials and uses them to access a controlled WorkDrive account.
Instead of traditional command-and-control servers, it reads instructions from a designated inbox folder and stores stolen data in an outbox directory, effectively turning the cloud account into a “dead drop” system.
Spear-Phishing Used for Initial Access
Both campaigns were delivered via ZIP archive attachments, containing hidden malicious DLL files. The infections are believed to have originated from spear-phishing emails tailored to specific government and infrastructure targets.
The lures were highly targeted and politically themed, including:
- A hydropower cooperation proposal
- A memorandum of understanding between Indian and Taiwanese institutions
These themes align with the group’s known intelligence-gathering interests.
Intelligence Objectives and Targeting Focus
Acronis assesses with high confidence that the primary goal of the campaign is intelligence collection related to:
- India’s hydropower development projects
- Defense and diplomatic relations involving Taiwan
The activity is consistent with broader espionage efforts linked to Mustang Panda’s long-running interest in strategic infrastructure and geopolitical relations.
Evidence Linking the Campaign to Mustang Panda
Researchers attribute the activity to Mustang Panda based on multiple technical indicators, including:
- Reuse of the Solid PDF Creator DLL sideloading technique
- Code similarities with the Toneshell backdoor
- Command-and-control infrastructure overlapping with previously tracked activity
- Repeated unique artifacts, including the “RunOnece” typo seen across multiple malware samples
The campaign was active between June 12 and June 22, 2026.
Operational Security Mistakes Expose Campaign
Despite its sophistication, the operation showed several operational security weaknesses. These included:
- Hardcoded authentication tokens
- Plaintext identifiers in malware code
- Reused infrastructure across campaigns
These flaws helped analysts identify and track the activity with higher confidence.
Previous Activity and Broader Context
This campaign continues a pattern of sustained targeting of Indian institutions.
Earlier in April, related Mustang Panda activity was linked to the LOTUSLITE backdoor, which targeted India’s banking sector and South Korean policy organizations. Those operations also relied on legitimate cloud services for stealth communications.
Historically, similar China-linked activity has targeted India’s critical infrastructure. In 2021, the RedEcho campaign focused on the Indian power grid using the ShadowPad malware framework.
Indicators of Compromise and Defensive Guidance
Researchers emphasize that there is no single patch that can fully prevent this type of intrusion. Instead, defense relies on detection of malicious behavior and cloud abuse.
Key indicators and hunting targets include:
- Registry Run keys used for persistence
- Scheduled task named SolidPDFPcl2Bmp
- Command-and-control domain: couldinstallup[.]com
- Unusual Zoho WorkDrive API activity from non-browser processes
Organizations in government and energy sectors are advised to closely monitor for:
- Spear-phishing emails with geopolitical themes
- DLL sideloading from signed binaries
- Unauthorized access to cloud storage APIs
- Suspicious outbound connections to cloud services
Final Outlook
The Mustang Panda campaign highlights a growing shift in cyber espionage tactics, where attackers increasingly rely on legitimate cloud platforms instead of traditional infrastructure. This approach allows malicious traffic to blend into normal enterprise operations, complicating detection and response efforts.
