The China-aligned cyber espionage group known as Mustang Panda has been implicated in two distinct campaigns targeting Indian government entities and hydropower organizations. These operations involve the deployment of novel malware and the exploitation of legitimate cloud services to facilitate command-and-control communications.
Investigations by cybersecurity researchers have uncovered active compromises within Indian government networks, notably affecting systems utilized by senior administrative personnel. Collaboration with national cybersecurity authorities has been initiated to address and mitigate these breaches.
A key aspect of these attacks is the misuse of Zoho WorkDrive, a cloud storage platform widely adopted within India’s governmental sector. By leveraging this service, the attackers can discreetly transmit commands and exfiltrate sensitive data, effectively camouflaging their malicious activities within normal network traffic patterns.
Introduction of New Malware Tools
Analysts have identified three new malware tools employed in these campaigns:
- SHARDLOADER: This loader executes by sideloading a malicious dynamic-link library (DLL) through legitimate, signed executables. In the observed campaigns, attackers utilized binaries from Solid PDF Creator and Citrix Receiver to deploy this loader.
- MINIRECON: An evolved variant of the previously documented TONESHELL backdoor, MINIRECON establishes communication over WebSocket connections via HTTPS, enhancing its stealth and resilience.
- ZOHOMURK: This novel implant contains hardcoded Zoho OAuth credentials, enabling it to interact with an attacker-controlled WorkDrive account. It reads commands from a designated inbox folder and uploads exfiltrated data to an outbox, effectively using the cloud service as a covert command-and-control channel.
The attack vectors involve ZIP archives containing the malicious DLLs, which are hidden within the archive. It is believed that these were delivered through spear-phishing emails, with lures tailored to the targets. One campaign utilized a theme centered around a hydropower cooperation proposal, while the other focused on a memorandum of understanding between Indian and Taiwanese institutions.
Attribution and Operational Insights
The primary objectives of these campaigns appear to be the acquisition of intelligence regarding India’s hydropower initiatives and its defense collaborations with Taiwan. The activities have been attributed to Mustang Panda with high confidence, based on several factors:
- Reuse of the Solid PDF Creator sideloading technique.
- Code similarities with the TONESHELL backdoor.
- Command-and-control infrastructure residing within the same network block as previously identified Mustang Panda assets.
- Consistent typographical errors, such as “RunOnece,” observed across multiple implants.
Notably, the attackers exhibited lapses in operational security, including the use of hardcoded tokens, plaintext identifiers, and reused infrastructure, which facilitated the identification and analysis of their activities. Active beaconing from the compromised systems was detected between June 12 and June 22, 2026.
This development underscores a persistent focus on Indian targets by Mustang Panda. In April, similar tactics were observed in attacks involving the LOTUSLITE backdoor, which targeted India’s banking sector and South Korean policy circles, also leveraging legitimate cloud services. Additionally, the broader interest of China-linked groups in India’s power sector dates back to the 2021 RedEcho campaign, which targeted the country’s electricity grid using the ShadowPad malware.
Given the absence of specific patches to counter these threats, defense strategies should concentrate on intercepting the delivery mechanisms and detecting the misuse of cloud services. Indicators of compromise and hunting recommendations include monitoring for persistence mechanisms such as Run keys, scheduled tasks named “SolidPDFPcl2Bmp,” the command-and-control domain “couldinstallup[.]com,” and unusual Zoho user-agent strings appearing in non-browser processes.
Organizations within the government and energy sectors, particularly those involved in international collaborations that may attract attention from state-sponsored actors, should remain vigilant. It is crucial to be wary of spear-phishing attempts utilizing geopolitical themes and to scrutinize any instances of DLL sideloading involving signed binaries. Additionally, any endpoint processes engaging with cloud APIs without a clear operational necessity should be promptly investigated.
As cyber espionage tactics continue to evolve, the exploitation of trusted cloud services for malicious purposes presents a significant challenge. This trend highlights the need for robust monitoring and adaptive security measures to detect and mitigate such sophisticated threats effectively.
