What happened
The China-linked threat actor Mustang Panda has been observed running two concurrent espionage campaigns targeting Indian government entities and the country’s hydropower sector.
The campaigns used new malware implants and abused Zoho WorkDrive, a legitimate cloud storage platform commonly used in India’s government sector, for command-and-control activity.
The Acronis Threat Research Unit said the attacks targeted Indian government entities involved in cooperation agreements with Taiwanese government institutions, as well as organizations tied to India’s hydropower initiatives.
The attack chains used hydropower- and government-themed lure documents distributed through compressed archives. When executed, the lures delivered previously undocumented DLL-based loaders tracked as SHARDLOADER.
One SHARDLOADER variant decrypted and launched MINIRECON, a new implant derived from the TONESHELL malware family. Another variant deployed ZOHOMURK, a newly identified implant that uses Zoho WorkDrive for command-and-control, data exfiltration, and remote task execution.
The two campaigns shared tooling and artifacts, with minor variations between targets. Researchers said this suggests a moderate retooling effort while maintaining a consistent focus on Indian victims.
The activity has been attributed to Mustang Panda with high confidence based on targeting patterns, lure themes, operational characteristics, and code overlaps with previously documented tooling.
Researchers assessed that the campaigns are espionage-motivated and aligned with intelligence collection related to India’s hydropower initiatives and defense cooperation with Taiwan.
During the investigation, multiple compromised systems within India’s government sector were identified, and researchers worked with CERT-In to support mitigation and victim notification.
Who is affected
Indian government entities are directly affected, especially those involved in cooperation agreements with Taiwanese government institutions.
Organizations tied to India’s hydropower sector are also affected because the campaign used hydropower-themed lures and appeared aligned with intelligence collection around India’s hydropower initiatives.
The broader risk applies to government, energy, diplomatic, and policy organizations that may be targeted with region-specific lures, cloud-based command-and-control, DLL side-loading, and custom implants.
Organizations using Zoho WorkDrive or other trusted cloud services should also pay attention because the campaign shows how legitimate platforms can be abused to blend malicious traffic with normal business activity.
Why CISOs should care
This campaign shows how state-aligned threat actors continue to abuse trusted cloud services for stealth. By using Zoho WorkDrive for command-and-control, exfiltration, and tasking, attackers can make malicious activity look like normal access to a legitimate collaboration platform.
For CISOs, the targeting of hydropower and government cooperation activity is especially important. It shows how geopolitical, infrastructure, and diplomatic themes can be turned into highly tailored lures for espionage operations.
The use of SHARDLOADER, MINIRECON, and ZOHOMURK also reinforces that Mustang Panda continues to refresh its tooling while maintaining familiar tradecraft, including DLL side-loading and custom implants tied to previous malware families.
The campaign also highlights the limits of blocking by domain reputation alone. Traffic to well-known cloud services may be allowed by default, so defenders need behavioral monitoring, endpoint telemetry, and anomaly detection around how cloud platforms are being used.
3 practical actions
- Monitor trusted cloud services for abnormal use: ZOHOMURK used Zoho WorkDrive for command-and-control, data exfiltration, and remote task execution. CISOs should review cloud service traffic, unusual API usage, unexpected file transfers, and access patterns inconsistent with normal user behavior.
- Hunt for DLL side-loading and custom loader behavior: The campaigns used SHARDLOADER variants to deploy MINIRECON and ZOHOMURK. Security teams should look for suspicious DLL loading, unusual parent-child process relationships, compressed archive execution, and government- or energy-themed lure documents.
- Prioritize threat modeling for geopolitical and infrastructure lures: The campaign targeted India’s hydropower sector and government entities tied to Taiwan cooperation agreements. Organizations in government, energy, defense, and policy sectors should prepare for highly tailored phishing and document-based intrusion attempts tied to current strategic issues.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.