Chinese linked cyber espionage group Mustang Panda has launched fresh attacks against Indian government and hydropower organizations using new malware that hides its activity inside Zoho WorkDrive, a cloud platform widely used across government networks.
Quick Summary – TLDR:
- Researchers uncovered two active espionage campaigns targeting Indian government entities and the hydropower sector.
- The attacks introduced three new malware tools named SHARDLOADER, MINIRECON, and ZOHOMURK.
- The hackers abused Zoho WorkDrive for command and control and data theft, allowing malicious traffic to blend in with normal cloud activity.
- Acronis worked with CERT In after finding multiple compromised systems, including devices used by senior administrative personnel.
What Happened?
Cybersecurity researchers at Acronis Threat Research Unit have uncovered two concurrent cyber espionage campaigns linked to Mustang Panda, a China aligned threat group known for targeting governments and critical infrastructure. The campaigns focused on India’s hydropower sector and government agencies involved in cooperation agreements with Taiwanese institutions.
The attacks were active between June 12 and June 22, 2026, with researchers observing live beaconing from compromised government systems and active interaction from the attackers.
Acronis has been tracking 2 concurrent campaigns orchestrated by Mustang Panda targeting Indian government entities, delivering new malware implants & abusing Zoho WorkDrive, a legitimate cloud storage platform commonly used in the Indian government sector https://t.co/lxdLtDxVoc pic.twitter.com/AMbLfS7wUX
— Virus Bulletin (@virusbtn) June 30, 2026
New Malware Targets Indian Networks
The latest operation introduced three previously undocumented malware tools.
SHARDLOADER acts as the initial loader and uses DLL sideloading to execute malicious code through legitimate and digitally signed applications, including software from Solid PDF Creator and Citrix Receiver.
Once executed, SHARDLOADER deploys one of two payloads.
The first is MINIRECON, a new backdoor derived from the previously known Toneshell malware family. The malware communicates with attackers through WebSocket connections over HTTPS, making its traffic appear more legitimate and harder to detect inside enterprise networks.
The second payload is ZOHOMURK, which researchers described as the most significant addition to Mustang Panda’s toolkit.
Zoho WorkDrive Turned Into a Secret Command Channel
Unlike traditional malware that communicates with dedicated command servers, ZOHOMURK uses Zoho WorkDrive as its command and control platform.
The malware contains hardcoded Zoho OAuth credentials that allow it to access attacker controlled WorkDrive accounts. It creates unique folders for each victim, downloads commands from cloud storage, executes them locally, and uploads the stolen information back to the attackers.
Researchers said this approach makes malicious activity appear like normal cloud traffic because many government organizations already use Zoho services.
The malware also includes several stealth features, including:
- Timing based anti-analysis checks.
- Automatic recreation of deleted command folders.
- Scheduled task persistence mechanisms.
- Interactive shell access for remote control of infected systems.
After completing commands, the malware automatically deletes evidence from the cloud account to reduce traces of its activity.
Hydropower and Taiwan Related Lures Used
Both campaigns began with spear phishing emails containing compressed files.
One archive was themed around a Hydropower Cooperation Project Proposal, while another referenced a memorandum of understanding between Indian and Taiwanese institutions.
Researchers believe these lures were carefully selected because the attackers were specifically interested in gathering intelligence related to India’s hydropower projects and its growing defense and strategic cooperation with Taiwan.
Researchers Link Campaign to Mustang Panda
Acronis attributed the activity to Mustang Panda with high confidence based on several factors.
The attackers reused infrastructure and malware code linked to earlier Mustang Panda operations. Researchers also identified a recurring typo, RunOnece, across multiple malware samples, suggesting the tools share the same development lineage.
Another clue came from the domain couldinstallup[.]com, which was hosted within the same network block previously associated with Mustang Panda infrastructure.
The group has a long history of targeting Indian interests. Earlier this year, researchers linked Mustang Panda’s LOTUSLITE backdoor to attacks on India’s banking sector. China linked actors also targeted India’s electricity sector during the RedEcho campaign in 2021.
Detection and Defense
Researchers said there is no software patch that can stop these attacks.
Instead, organizations should monitor for unusual cloud activity, suspicious DLL sideloading, unexpected connections to Zoho APIs from non-browser processes, and persistence mechanisms such as scheduled tasks and abnormal registry entries.
Government agencies and energy organizations involved in cross-border projects have been urged to remain vigilant against geopolitically themed phishing campaigns and abuse of legitimate cloud services.
SQ Magazine Takeaway
I think this campaign shows how quickly cyber espionage groups are adapting. Instead of relying on suspicious servers that are easier to block, attackers are now hiding inside trusted cloud platforms that organizations use every day. That makes detection far more difficult. For Indian government agencies and critical infrastructure operators, monitoring normal looking cloud activity may become just as important as blocking traditional malware.
