Mustang Panda Abuses Zoho WorkDrive for Command Control and Data Exfiltration in India Attacks


Mustang Panda has been linked to two cyber-espionage campaigns targeting Indian government and energy-related organizations, with attackers abusing Zoho WorkDrive as a hidden command channel and data exfiltration path.

The campaigns used new malware tools called SHARDLOADER, MINIRECON, and ZOHOMURK. According to the Acronis Threat Research Unit, the activity targeted India’s hydropower sector and government entities involved in cooperation with Taiwanese institutions.

The key finding is the use of a trusted cloud storage platform for attacker operations. ZOHOMURK used an attacker-controlled Zoho WorkDrive account to receive commands, upload stolen output, and make malicious traffic look like normal cloud activity.

Mustang Panda campaign focused on India

The campaign used political and infrastructure-themed lure files. One lure referenced a hydropower cooperation project, while another referenced a memorandum involving Indian and Taiwanese institutions.

The Hacker News reported that Acronis found active compromises inside Indian government networks, including systems associated with senior administrative staff. Acronis also said it worked with CERT-In to support victim notification and remediation.

The activity was observed between June 12 and June 22, 2026. During that period, attacker infrastructure remained active and was used to task compromised systems.

ToolRole in attackMain behavior
SHARDLOADERLoaderUses DLL sideloading through signed software to launch the next malware stage
ZOHOMURKCloud-based implantUses Zoho WorkDrive for command control, tasking, and data exfiltration
MINIRECONBackdoor implantCommunicates with attacker infrastructure over WebSocket on HTTPS

Zoho WorkDrive abuse helped the malware blend in

ZOHOMURK is the most unusual part of the operation. It carried OAuth credentials and used cloud folders as an attacker-controlled message system.

The implant checked an inbox folder for commands and wrote results into an outbox folder. Because Zoho WorkDrive is a legitimate business collaboration platform, this traffic could blend into normal enterprise activity if defenders only look for suspicious domains.

This kind of cloud abuse gives attackers two advantages. It reduces the need for obvious malware infrastructure, and it makes blocking harder because the same cloud service may support real business workflows.

How the infection chain worked

Acronis said both campaigns likely arrived through spear-phishing emails. Victims received ZIP archives containing legitimate signed binaries and hidden malicious DLL files.

When the victim launched the file, the signed executable loaded the attacker’s DLL through sideloading. One campaign used a Solid PDF Creator executable, while another used a Citrix Receiver binary.

This method is common in espionage campaigns because the first visible program looks legitimate. The malicious code runs through the trusted application’s loading behavior.

  1. The victim receives a targeted ZIP archive with a geopolitical or infrastructure-themed lure.
  2. The archive contains a signed executable and a hidden malicious DLL.
  3. The signed executable starts and sideloads the attacker’s DLL.
  4. SHARDLOADER prepares and launches the next-stage implant.
  5. ZOHOMURK or MINIRECON establishes command control.
  6. The attacker sends commands and collects results from the compromised system.

ZOHOMURK used cloud folders as attacker mailboxes

ZOHOMURK created a cloud-based command loop. It downloaded a command file from the victim’s inbox folder, decrypted it, processed the instruction, and then moved the command file to trash to reduce evidence.

The malware supported file operations, interactive shell access, and shell teardown. Its command output was uploaded back into the victim’s outbox folder on the attacker-controlled cloud account.

The implant also used heartbeat behavior to check whether the victim folder still existed. If the folder disappeared, it could recreate the structure and continue operating.

MINIRECON is described as a compact backdoor with similarities to Toneshell, a malware family associated with Mustang Panda operations. It used WebSocket communication over HTTPS to reach attacker infrastructure.

Acronis found code and behavior overlaps between MINIRECON and malware described in an IBM X-Force report on Hive0154, another name used in public reporting for Mustang Panda-related activity.

The infrastructure also supported attribution. The MINIRECON implant communicated with couldinstallup[.]com, which resolved to 188.208.141[.]177. Acronis said this infrastructure was in the same broader pattern as previously documented Mustang Panda activity.

Indicator typeIndicatorDescription
Domaincouldinstallup[.]comMINIRECON WebSocket C2 domain
IP address188.208.141[.]177Observed infrastructure tied to MINIRECON communication
Scheduled taskSolidPDFPcl2BmpPersistence task used by SHARDLOADER v1.1
Registry valueMicrosoftEdgeUpdateBrokerTaskZOHOMURK v2 persistence value under HKCU Run
Registry valueZohoUsingUpdataAnyssAll_RunOneceZOHOMURK v1 persistence value with recurring typo
User agentZoho API Client/1.0Possible ZOHOMURK cloud API activity from non-browser processes
User agentZoho-C-Uploader/2.0Possible cloud upload activity linked to the implant
File artifactreadata.datTemporary command staging file used by ZOHOMURK

Why Acronis linked the attacks to Mustang Panda

The attribution does not rest on one indicator. Acronis cited the use of familiar sideloading chains, code overlaps with previously reported Toneshell samples, infrastructure similarities, and recurring development mistakes.

The repeated typo RunOnece appeared across multiple related implants. Small development fingerprints like this can help analysts connect separate malware families or campaigns when combined with other technical evidence.

The public MITRE ATT&CK profile for Mustang Panda describes the group as a China-based cyber-espionage actor active since at least 2012. It also notes the group’s use of tailored phishing lures and decoy documents to deliver malware.

Cloud services are now part of the attack surface

This campaign shows why defenders cannot treat all traffic to trusted SaaS platforms as automatically safe. Attackers can use legitimate cloud accounts to move commands and stolen output.

Security teams should pay attention to process context. WorkDrive access from a browser may be normal. WorkDrive API calls from a sideloaded executable, a PDF tool, a Citrix binary, or a process running from an unusual path should trigger investigation.

Payload execution chain for Campaign I (Source – Acronis)

Zoho is not accused of wrongdoing. The issue is abuse of a legitimate platform, which mirrors a wider trend where attackers hide inside services that enterprises already allow through proxies and firewalls.

  • Monitor Zoho WorkDrive API calls from non-browser processes.
  • Flag OAuth token requests from unsigned or unexpected executables.
  • Review DNS and HTTPS activity to couldinstallup[.]com.
  • Search for the SolidPDFPcl2Bmp scheduled task.
  • Check HKCU Run keys for MicrosoftEdgeUpdateBrokerTask and RunOnece values.
  • Look for hidden DLLs delivered inside ZIP archives.
  • Investigate signed binaries loading DLLs from user-writable folders.

Government and energy organizations face higher risk

The lure themes point to intelligence collection around hydropower planning and India-Taiwan cooperation. That makes the campaign relevant to government, energy, policy, diplomatic, and research organizations.

The group’s broader history supports that focus. The Mustang Panda profile lists past targeting of government, diplomatic, research, religious, and non-governmental organizations across Asia, Europe, and the United States.

Payload execution chain for Campaign II (Source – Acronis)

India’s critical infrastructure has also been a recurring area of interest for China-linked threat activity. This latest operation does not prove disruption intent, but it does show continued intelligence interest in sensitive energy and government environments.

What defenders should do now

There is no single patch for this campaign because the attack depends on phishing, sideloading, cloud abuse, and stolen or attacker-created service accounts. Defense requires hunting and containment.

The Acronis report recommends checking registry persistence, scheduled tasks, filesystem artifacts, mutexes, and non-browser Zoho API traffic. These checks can help identify both ZOHOMURK and MINIRECON activity.

Organizations should also review cloud audit logs. Look for new or unusual WorkDrive folders, repeated file uploads from endpoints, suspicious OAuth token use, and API activity tied to machines that do not normally use Zoho automation.

Defensive stepWhat to checkWhy it matters
Endpoint huntingDLL sideloading, hidden DLLs, suspicious Run keysFinds the loader and persistence mechanisms
Cloud monitoringWorkDrive API activity from unusual processesDetects ZOHOMURK command control and exfiltration
Network reviewcouldinstallup[.]com and WebSocket traffic on HTTPSFinds MINIRECON communication
Email securityZIP archives with geopolitical or infrastructure luresReduces spear-phishing delivery risk
Application controlSigned binaries loading DLLs from writable foldersBlocks common sideloading behavior

The attack shows a stronger cloud-abuse playbook

Mustang Panda has repeatedly evolved its tooling while keeping familiar tradecraft, including phishing lures, DLL sideloading, and custom implants. The new element here is the operational use of Zoho WorkDrive for both command control and output collection.

The Hacker News report also connected the activity to the group’s recent expansion of India-focused operations, including earlier Acronis reporting on LOTUSLITE activity against India’s banking sector and South Korean policy circles.

The IBM X-Force analysis of Toneshell and related Mustang Panda tooling helps explain why MINIRECON matters. The malware appears to follow an established pattern of custom backdoors designed for stealth, persistence, and long-term espionage access.

FAQ

What is ZOHOMURK?

ZOHOMURK is a newly reported malware implant linked to Mustang Panda activity. It abuses Zoho WorkDrive folders for command control, remote task execution, and data exfiltration.

Who did the Mustang Panda campaign target?

Acronis reported that the campaigns targeted Indian government entities and India’s hydropower sector, with lures connected to hydropower cooperation and India-Taiwan institutional cooperation.

How did Mustang Panda use Zoho WorkDrive?

The attackers used an attacker-controlled Zoho WorkDrive account as a cloud command channel. ZOHOMURK checked an inbox folder for commands and uploaded results to an outbox folder.

What is SHARDLOADER?

SHARDLOADER is a loader used in the campaign. It relies on DLL sideloading through legitimate signed binaries, including Solid PDF Creator and Citrix Receiver components, to start follow-on malware.

What should defenders monitor?

Defenders should monitor Zoho WorkDrive API traffic from non-browser processes, suspicious OAuth token requests, couldinstallup.com activity, hidden DLLs in ZIP archives, unusual scheduled tasks, and HKCU Run key persistence.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages