Mustang Panda Exploits Zoho WorkDrive in Cyber Espionage

Mustang Panda Zoho WorkDrive malware attack targeting India energy sector

An innocuous cloud-based file collaboration platform recently became the conduit for a sophisticated espionage operation. The notorious Chinese threat actor, Mustang Panda, orchestrated targeted attacks against Indian government agencies and the energy sector, exploiting Zoho WorkDrive to command and control compromised systems.

Targeting Hydroelectric Power and Bilateral Agreements

Cybersecurity experts recently attributed two distinct malicious campaigns to this advanced persistent threat group. These operations deliberately targeted entities associated with India’s hydroelectric power infrastructure and bilateral cooperation agreements with Taiwan. According to a comprehensive analysis by the Acronis Threat Research Unit, the adversaries disseminated deceptive archive files masquerading as official government and industry documents. However, these trojanized archives clandestinely harbored the SHARDLOADER downloader, alongside novel implants designated as MINIRECON and ZOHOMURK.

The Malicious Kill Chain and DLL Hijacking

The intricate attack kill chain relied heavily on DLL hijacking techniques. Unsuspecting victims inadvertently executed legitimate, cryptographically signed files, such as components of Solid PDF Creator or Citrix Receiver. Consequently, the Windows operating system automatically loaded a malicious dynamic link library residing within the identical directory. Through this deceptive maneuver, SHARDLOADER masqueraded as a trusted application, established robust persistence within the host environment, and seamlessly transferred execution control to subsequent payload modules.

Remote Access via the MINIRECON Implant

The MINIRECON implant subsequently granted the adversaries comprehensive remote access to the compromised machine. This backdoor facilitated arbitrary command execution and bidirectional file transfers. To communicate covertly with its command and control infrastructure, the implant leveraged WebSocket connections encapsulated within encrypted HTTPS traffic. Furthermore, its ability to navigate through local proxies ensured the malicious telemetry blended seamlessly into routine corporate network traffic.

Weaponizing Zoho WorkDrive with ZOHOMURK

Perhaps the most conspicuous element of this campaign was the deployment of ZOHOMURK. This sophisticated malware ingeniously weaponized Zoho WorkDrive, utilizing it as an unconventional channel for both command dissemination and data exfiltration. Upon activation, the implant automatically generated victim-specific directories within an operator-controlled account. It persistently monitored these folders for incoming command files, executed the designated tasks, and exfiltrated the resulting data back into the cloud repository. Ultimately, this mechanism successfully camouflaged malicious data exfiltration as innocuous interactions with a legitimate enterprise service.

Widespread Compromise in the Indian Public Sector

Throughout the comprehensive investigation, security specialists positively identified numerous compromised systems deeply entrenched within the Indian public sector. Alarmingly, this included devices belonging to high-ranking administrative personnel. Threat hunters actively observed this malicious activity spanning from June 12 to June 22, 2026. In a collaborative effort, Acronis promptly transmitted all relevant indicators of compromise, infrastructure intelligence, and technical forensics to the Indian Computer Emergency Response Team (CERT-In). This vital intelligence sharing aims to expedite victim notification and facilitate immediate remediation of the targeted networks.

Critical Recommendations for Network Defenders

Security advisories strongly urge organizations operating within the government and energy sectors to rigorously scrutinize any suspicious archive files featuring geopolitical themes. Furthermore, network defenders must actively hunt for persistence mechanisms nested within the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry hive and isolate the anomalous SolidPDFPcl2Bmp scheduled task. Security teams should thoroughly inspect the C:\ProgramData\IDM\logs\ and %LOCALAPPDATA%\Microsoft\VaultCache directories for irregular artifacts. Crucially, administrators must monitor their network perimeter for any unauthorized API requests directed toward Zoho WorkDrive and accounts.zoho.com originating from non-browser processes.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Leave a Reply