Mustang Panda Abuses Zoho WorkDrive for Command and Control in Indian Government Attacks
China-aligned threat group Mustang Panda is targeting Indian government and hydropower entities with new malware, leveraging Zoho WorkDrive as a covert command and control channel.
The persistent espionage group Mustang Panda, believed to be operating on behalf of China, has been observed conducting two distinct campaigns targeting Indian government entities and the nation's hydropower sector. These operations involve the deployment of novel malware and a sophisticated technique of repurposing the legitimate cloud storage service Zoho WorkDrive as a command and control (C2) channel, allowing the attackers to maintain persistence and exfiltrate data undetected.
Acronis Threat Research Unit identified active compromises within Indian government networks, specifically targeting systems used by senior administrative staff. Working in conjunction with India's CERT-In, Acronis has been involved in the notification and cleanup efforts for the affected organizations. The choice of Zoho WorkDrive is strategic, as it is a widely adopted platform within India's government sector, enabling the attackers' malicious traffic to blend seamlessly with legitimate cloud activity, thereby evading network defenses.
Acronis has detailed three new tools employed by Mustang Panda in these campaigns. The first, SHARDLOADER, functions as a loader that utilizes DLL sideloading through a legitimately signed binary. In one campaign, a Solid PDF Creator executable was used, while in another, a Citrix Receiver binary served this purpose. This loader then deploys one of two implants. MINIRECON is an updated version of the Toneshell backdoor, previously documented by IBM X-Force, which now communicates using a WebSocket connection over HTTPS.
The most novel component is ZOHOMURK, an implant that contains hardcoded OAuth credentials for Zoho. It leverages these credentials to access an attacker-controlled WorkDrive account, effectively using it as a dead drop. Commands are received from a designated inbox folder, and stolen data is written to an outbox folder, further obscuring malicious activity within normal cloud operations.
Both identified campaigns begin with ZIP archives containing a malicious DLL marked as hidden, suggesting delivery via spear-phishing. The lures are tailored to the targets: one campaign used a theme related to a hydropower cooperation proposal, while the other centered on a memorandum of understanding between Indian and Taiwanese institutions. Acronis attributes these attacks to Mustang Panda with a high degree of confidence, noting that the primary objectives appear to be gathering intelligence on India's hydropower development plans and its defense relationships with Taiwan.
Several indicators point to Mustang Panda's involvement, including the reuse of the Solid PDF Creator sideloading chain, code overlap with the Toneshell backdoor, command servers located within the same network block as previously identified infrastructure for the group, and a consistent typo, 'RunOnece,' found across multiple implants. Despite these indicators, the group exhibited thin operational security, with hardcoded tokens, plaintext identifiers, and reused infrastructure aiding analysts in attribution.
This activity represents a continuation of Mustang Panda's sustained focus on Indian targets. In April 2026, Acronis linked the group's LOTUSLITE backdoor to attacks against India's banking sector and South Korean policy circles, also using a legitimate cloud service for C2. The broader interest from China-linked actors in India's energy sector is not new; the 2021 RedEcho campaign, for instance, targeted the country's electricity grid using the ShadowPad backdoor.
There is no specific patch to address this particular threat, as it relies on social engineering and the abuse of legitimate services. Defense strategies should focus on detecting the initial delivery mechanisms, such as spear-phishing emails, and monitoring for anomalous cloud service usage. Acronis has provided indicators of compromise and hunting tips, including persistence mechanisms, scheduled tasks, C2 domains, and specific Zoho user agents associated with non-browser processes. Government and energy organizations, particularly those involved in cross-border dealings that might attract geopolitical interest, should remain vigilant against geopolitical lures and sideloading attacks, and closely monitor endpoint processes interacting with cloud APIs.