Mustang Panda Abuses Zoho WorkDrive for Command Control and Data Exfiltration in India Attacks
Mustang Panda has been linked to two cyber-espionage campaigns targeting Indian government and energy-related organizations, with attackers abusing Zoho WorkDrive as a hidden command channel and data exfiltration path.
The campaigns used new malware tools called SHARDLOADER, MINIRECON, and ZOHOMURK. According to the Acronis Threat Research Unit, the activity targeted India’s hydropower sector and government entities involved in cooperation with Taiwanese institutions.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The key finding is the use of a trusted cloud storage platform for attacker operations. ZOHOMURK used an attacker-controlled Zoho WorkDrive account to receive commands, upload stolen output, and make malicious traffic look like normal cloud activity.
Mustang Panda campaign focused on India
The campaign used political and infrastructure-themed lure files. One lure referenced a hydropower cooperation project, while another referenced a memorandum involving Indian and Taiwanese institutions.
The Hacker News reported that Acronis found active compromises inside Indian government networks, including systems associated with senior administrative staff. Acronis also said it worked with CERT-In to support victim notification and remediation.
The activity was observed between June 12 and June 22, 2026. During that period, attacker infrastructure remained active and was used to task compromised systems.
| Tool | Role in attack | Main behavior |
|---|---|---|
| SHARDLOADER | Loader | Uses DLL sideloading through signed software to launch the next malware stage |
| ZOHOMURK | Cloud-based implant | Uses Zoho WorkDrive for command control, tasking, and data exfiltration |
| MINIRECON | Backdoor implant | Communicates with attacker infrastructure over WebSocket on HTTPS |
Zoho WorkDrive abuse helped the malware blend in
ZOHOMURK is the most unusual part of the operation. It carried OAuth credentials and used cloud folders as an attacker-controlled message system.
The implant checked an inbox folder for commands and wrote results into an outbox folder. Because Zoho WorkDrive is a legitimate business collaboration platform, this traffic could blend into normal enterprise activity if defenders only look for suspicious domains.
This kind of cloud abuse gives attackers two advantages. It reduces the need for obvious malware infrastructure, and it makes blocking harder because the same cloud service may support real business workflows.
How the infection chain worked
Acronis said both campaigns likely arrived through spear-phishing emails. Victims received ZIP archives containing legitimate signed binaries and hidden malicious DLL files.
When the victim launched the file, the signed executable loaded the attacker’s DLL through sideloading. One campaign used a Solid PDF Creator executable, while another used a Citrix Receiver binary.
This method is common in espionage campaigns because the first visible program looks legitimate. The malicious code runs through the trusted application’s loading behavior.
- The victim receives a targeted ZIP archive with a geopolitical or infrastructure-themed lure.
- The archive contains a signed executable and a hidden malicious DLL.
- The signed executable starts and sideloads the attacker’s DLL.
- SHARDLOADER prepares and launches the next-stage implant.
- ZOHOMURK or MINIRECON establishes command control.
- The attacker sends commands and collects results from the compromised system.
ZOHOMURK used cloud folders as attacker mailboxes
ZOHOMURK created a cloud-based command loop. It downloaded a command file from the victim’s inbox folder, decrypted it, processed the instruction, and then moved the command file to trash to reduce evidence.
The malware supported file operations, interactive shell access, and shell teardown. Its command output was uploaded back into the victim’s outbox folder on the attacker-controlled cloud account.
The implant also used heartbeat behavior to check whether the victim folder still existed. If the folder disappeared, it could recreate the structure and continue operating.
MINIRECON shows links to earlier Mustang Panda tooling
MINIRECON is described as a compact backdoor with similarities to Toneshell, a malware family associated with Mustang Panda operations. It used WebSocket communication over HTTPS to reach attacker infrastructure.
Acronis found code and behavior overlaps between MINIRECON and malware described in an IBM X-Force report on Hive0154, another name used in public reporting for Mustang Panda-related activity.
The infrastructure also supported attribution. The MINIRECON implant communicated with couldinstallup[.]com, which resolved to 188.208.141[.]177. Acronis said this infrastructure was in the same broader pattern as previously documented Mustang Panda activity.
| Indicator type | Indicator | Description |
|---|---|---|
| Domain | couldinstallup[.]com | MINIRECON WebSocket C2 domain |
| IP address | 188.208.141[.]177 | Observed infrastructure tied to MINIRECON communication |
| Scheduled task | SolidPDFPcl2Bmp | Persistence task used by SHARDLOADER v1.1 |
| Registry value | MicrosoftEdgeUpdateBrokerTask | ZOHOMURK v2 persistence value under HKCU Run |
| Registry value | ZohoUsingUpdataAnyssAll_RunOnece | ZOHOMURK v1 persistence value with recurring typo |
| User agent | Zoho API Client/1.0 | Possible ZOHOMURK cloud API activity from non-browser processes |
| User agent | Zoho-C-Uploader/2.0 | Possible cloud upload activity linked to the implant |
| File artifact | readata.dat | Temporary command staging file used by ZOHOMURK |
Why Acronis linked the attacks to Mustang Panda
The attribution does not rest on one indicator. Acronis cited the use of familiar sideloading chains, code overlaps with previously reported Toneshell samples, infrastructure similarities, and recurring development mistakes.
The repeated typo RunOnece appeared across multiple related implants. Small development fingerprints like this can help analysts connect separate malware families or campaigns when combined with other technical evidence.
The public MITRE ATT&CK profile for Mustang Panda describes the group as a China-based cyber-espionage actor active since at least 2012. It also notes the group’s use of tailored phishing lures and decoy documents to deliver malware.
Cloud services are now part of the attack surface
This campaign shows why defenders cannot treat all traffic to trusted SaaS platforms as automatically safe. Attackers can use legitimate cloud accounts to move commands and stolen output.
Security teams should pay attention to process context. WorkDrive access from a browser may be normal. WorkDrive API calls from a sideloaded executable, a PDF tool, a Citrix binary, or a process running from an unusual path should trigger investigation.

Zoho is not accused of wrongdoing. The issue is abuse of a legitimate platform, which mirrors a wider trend where attackers hide inside services that enterprises already allow through proxies and firewalls.
- Monitor Zoho WorkDrive API calls from non-browser processes.
- Flag OAuth token requests from unsigned or unexpected executables.
- Review DNS and HTTPS activity to couldinstallup[.]com.
- Search for the SolidPDFPcl2Bmp scheduled task.
- Check HKCU Run keys for MicrosoftEdgeUpdateBrokerTask and RunOnece values.
- Look for hidden DLLs delivered inside ZIP archives.
- Investigate signed binaries loading DLLs from user-writable folders.
Government and energy organizations face higher risk
The lure themes point to intelligence collection around hydropower planning and India-Taiwan cooperation. That makes the campaign relevant to government, energy, policy, diplomatic, and research organizations.
The group’s broader history supports that focus. The Mustang Panda profile lists past targeting of government, diplomatic, research, religious, and non-governmental organizations across Asia, Europe, and the United States.

India’s critical infrastructure has also been a recurring area of interest for China-linked threat activity. This latest operation does not prove disruption intent, but it does show continued intelligence interest in sensitive energy and government environments.
What defenders should do now
There is no single patch for this campaign because the attack depends on phishing, sideloading, cloud abuse, and stolen or attacker-created service accounts. Defense requires hunting and containment.
The Acronis report recommends checking registry persistence, scheduled tasks, filesystem artifacts, mutexes, and non-browser Zoho API traffic. These checks can help identify both ZOHOMURK and MINIRECON activity.
Organizations should also review cloud audit logs. Look for new or unusual WorkDrive folders, repeated file uploads from endpoints, suspicious OAuth token use, and API activity tied to machines that do not normally use Zoho automation.
| Defensive step | What to check | Why it matters |
|---|---|---|
| Endpoint hunting | DLL sideloading, hidden DLLs, suspicious Run keys | Finds the loader and persistence mechanisms |
| Cloud monitoring | WorkDrive API activity from unusual processes | Detects ZOHOMURK command control and exfiltration |
| Network review | couldinstallup[.]com and WebSocket traffic on HTTPS | Finds MINIRECON communication |
| Email security | ZIP archives with geopolitical or infrastructure lures | Reduces spear-phishing delivery risk |
| Application control | Signed binaries loading DLLs from writable folders | Blocks common sideloading behavior |
The attack shows a stronger cloud-abuse playbook
Mustang Panda has repeatedly evolved its tooling while keeping familiar tradecraft, including phishing lures, DLL sideloading, and custom implants. The new element here is the operational use of Zoho WorkDrive for both command control and output collection.
The Hacker News report also connected the activity to the group’s recent expansion of India-focused operations, including earlier Acronis reporting on LOTUSLITE activity against India’s banking sector and South Korean policy circles.
The IBM X-Force analysis of Toneshell and related Mustang Panda tooling helps explain why MINIRECON matters. The malware appears to follow an established pattern of custom backdoors designed for stealth, persistence, and long-term espionage access.
FAQ
ZOHOMURK is a newly reported malware implant linked to Mustang Panda activity. It abuses Zoho WorkDrive folders for command control, remote task execution, and data exfiltration.
Acronis reported that the campaigns targeted Indian government entities and India’s hydropower sector, with lures connected to hydropower cooperation and India-Taiwan institutional cooperation.
The attackers used an attacker-controlled Zoho WorkDrive account as a cloud command channel. ZOHOMURK checked an inbox folder for commands and uploaded results to an outbox folder.
SHARDLOADER is a loader used in the campaign. It relies on DLL sideloading through legitimate signed binaries, including Solid PDF Creator and Citrix Receiver components, to start follow-on malware.
Defenders should monitor Zoho WorkDrive API traffic from non-browser processes, suspicious OAuth token requests, couldinstallup.com activity, hidden DLLs in ZIP archives, unusual scheduled tasks, and HKCU Run key persistence.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages