The **Mustang Panda** threat group has launched sophisticated campaigns against critical Indian sectors, utilizing an innovative approach to evade detection by weaponizing a legitimate cloud service. **Acronis Threat Research Unit**, in collaboration with **CERT-In**, identified active compromises within Indian government networks, including systems belonging to senior administrative staff. The primary objective appears to be intelligence gathering related to India's hydropower initiatives and defense collaborations with Taiwan. ### Covert C2 via Zoho WorkDrive A key element of these campaigns is the abuse of **Zoho WorkDrive**, a popular cloud storage platform within the Indian government sector. The malware uses this service to establish a covert command and control (C2) channel, allowing attackers to issue commands and exfiltrate data while blending in with normal cloud traffic. ### New Malware Arsenal Acronis highlights three new tools employed by **Mustang Panda**: * **SHARDLOADER**: A loader that achieves execution through DLL sideloading. It abuses legitimate binaries like **Solid PDF Creator** and **Citrix Receiver** to deploy subsequent implants. * **MINIRECON**: A refined variant of the **Toneshell** backdoor, previously documented by **IBM X-Force**. This updated version now uses WebSocket connections over HTTPS for beaconing. * **ZOHOMURK**: This is the most novel component. It contains hardcoded **Zoho OAuth** credentials, enabling it to operate an attacker-controlled **WorkDrive** account as a 'dead drop'. Commands are read from an inbox folder, and stolen data is written to an outbox. ### Delivery and Lures The initial compromise in both campaigns involves ZIP archives containing a malicious, hidden DLL. Researchers believe spear-phishing is the likely delivery mechanism. The lures are meticulously crafted to fit the targets, with themes ranging from hydropower cooperation proposals to memorandums of understanding between Indian and Taiwanese institutions.  ### Attribution and Operational Security Lapses Acronis attributes this activity to **Mustang Panda** with high confidence, citing evidence such as the reused **Solid PDF Creator** sideloading chain, code overlaps with **Toneshell**, C2 servers within network blocks previously linked to the group by **IBM X-Force**, and a recurring typo, 'RunOnece', found across multiple implants. Despite the sophistication of the C2 mechanism, the group exhibited notable operational security (OpSec) weaknesses, including hardcoded tokens, plaintext identifiers, and reused infrastructure, which aided analysts in their investigation. Active beaconing was observed between June 12 and June 22, 2026. ### A Persistent Threat to India This series of attacks underscores **Mustang Panda's** sustained interest in Indian targets. In April, Acronis linked the group's **LOTUSLITE** backdoor to attacks on India's banking sector and South Korean policy circles, also utilizing legitimate cloud services. Broader China-linked interest in India's power sector dates back to the 2021 **RedEcho** campaign, which targeted the country's electricity grid with **ShadowPad**. ### Defensive Strategies Given the nature of these attacks, there is no single patch to apply. Defense hinges on robust detection of the initial delivery and the subsequent abuse of cloud services. Acronis has published indicators of compromise (IoCs) and hunting tips, including specific persistence Run keys, a scheduled task named `SolidPDFPcl2Bmp`, the C2 domain `couldinstallup[.]com`, and anomalous Zoho user agents originating from non-browser processes. Organizations, particularly those in government and energy sectors involved in cross-border deals of geopolitical interest, must remain vigilant. Key defensive measures include: * Monitoring for geopolitical spear-phishing lures. * Detecting DLL sideloading from legitimately signed binaries. * Flagging any endpoint process attempting to call cloud APIs without a legitimate reason.