The cyber-espionage group Mustang Panda, known for its ties to China, has launched two distinct cyber campaigns targeting Indian government entities and hydropower sectors. These operations involve the deployment of newly developed malware and the innovative use of a legitimate cloud service as a command-and-control channel.
Targeted Cyber Attacks on Indian Networks
Analysis by the Acronis Threat Research Unit uncovered active infiltrations within Indian governmental networks, including devices used by high-ranking officials. Acronis collaborated with CERT-In to address and mitigate the security breaches. The malware strategically leverages Zoho WorkDrive, a widely-used cloud storage service in Indian government operations, to execute commands and extract sensitive data, effectively masking its activities as standard cloud traffic.
Innovative Malware Toolset
Acronis identified three novel tools used in these campaigns. SHARDLOADER is a loader designed to execute by sideloading a harmful DLL through a signed binary, such as a Solid PDF Creator executable or a Citrix Receiver binary, deploying one of two implants. MINIRECON, a modified version of the Toneshell backdoor, communicates via a WebSocket over HTTPS. Lastly, ZOHOMURK, the latest addition, employs hardcoded Zoho OAuth credentials to exploit a compromised WorkDrive account, facilitating command execution and data exfiltration through designated folders.
The attacks are delivered via ZIP files containing concealed malicious DLLs, believed to be distributed through spear-phishing methods. The bait aligns with the targets: documents themed around hydropower cooperation and a memorandum between Indian and Taiwanese organizations. The primary aim appears to be gathering intelligence on India’s hydropower strategies and its defense collaborations with Taiwan.
Security and Strategic Implications
Acronis attributes these activities to Mustang Panda with high confidence, citing evidence such as reused code and infrastructure connections. The group’s operational security flaws, including hardcoded tokens and reused identifiers, facilitated the identification of these cyber threats. The attacks were actively monitored between June 12 and June 22, 2026.
This series of cyber assaults continues a pattern of targeted attacks on Indian entities. In April, Mustang Panda was linked to the LOTUSLITE backdoor used against India’s banking sector and South Korean policy circles, also exploiting legitimate cloud services. Historical context includes the 2021 RedEcho campaign targeting India’s power grid with ShadowPad malware.
Future Outlook and Recommendations
No immediate software patches are available to counter these threats. Instead, organizations are advised to focus on intercepting the delivery methods and cloud service exploitation. Acronis has shared indicators and detection strategies, including persistence mechanisms, specific scheduled tasks, and unusual Zoho user agent activities.
Entities within government and energy sectors, particularly those involved in international collaborations potentially of interest to Beijing, should remain vigilant. Monitoring for geopolitical-themed phishing lures and unauthorized cloud API interactions is crucial in fortifying defenses against these sophisticated cyber threats.
