A China-aligned cyber espionage group known as Mustang Panda has been caught running two simultaneous attack campaigns against Indian government and energy targets, using a trusted cloud storage service as its hidden command center.
The group deployed newly developed malware tools to silently steal data while making malicious traffic blend in with normal cloud activity.
The attacks focused on India’s hydropower sector and government institutions involved in bilateral cooperation.
Lure documents themed around a hydropower cooperation proposal and a memorandum between Indian and Taiwanese institutions were used to trick victims into executing the malware.
The goal, according to analysts, was to collect intelligence on India’s hydropower plans and its defense relationships with Taiwan.
Researchers at Acronis Threat Research Unit (TRU) said in a report shared with Cyber Security News (CSN) that they identified the campaigns and found active compromises inside Indian government networks, including machines used by senior administrative staff.
Acronis worked directly with CERT-In on notification and cleanup after uncovering the intrusions. The threat actor introduced three new malware tools across both campaigns.
The first, called SHARDLOADER, is a loader that runs by sideloading a malicious DLL through a legitimately signed binary, either a Solid PDF Creator executable or a Citrix Receiver binary depending on the campaign.
The other two implants, MINIRECON and ZOHOMURK, do the bulk of the work once the loader completes its task.
This fits a clear and escalating pattern of attacks. In April, Acronis also tied Mustang Panda to attacks on India’s banking sector and South Korean policy circles through a campaign using a tool called LOTUSLITE, also staged through a legitimate cloud service.
The 2021 RedEcho campaign had previously targeted India’s electricity grid using ShadowPad malware, showing Beijing’s ongoing interest in India’s critical infrastructure.
Mustang Panda Abuses Zoho WorkDrive
ZOHOMURK is the most unusual piece of this operation. It carries hardcoded Zoho OAuth credentials and uses them to run an attacker-controlled WorkDrive account as a covert command channel.
It reads instructions from an inbox folder and writes stolen output to an outbox folder. Because Zoho WorkDrive is widely used across India’s government sector, this traffic blends almost perfectly with legitimate activity.
MINIRECON is a reworked variant of the Toneshell backdoor, previously documented by IBM X-Force. It communicates with attacker servers over a WebSocket connection on HTTPS, making it harder to detect through standard network monitoring.
Both implants were deployed through the same SHARDLOADER chain, with minor variations between the two campaigns in terms of loader structure.
Both campaigns arrived as ZIP archives with the malicious DLL marked as hidden. Acronis believes the files were delivered through spear-phishing emails.
Attribution to Mustang Panda was made with high confidence, backed by the reused sideloading chain, code overlaps with documented Toneshell samples, and command servers in the same network block IBM X-Force had already tied to the group.
A recurring typo, RunOnece, found across multiple implants also served as a useful fingerprint.
Defense Gaps and What Organizations Should Watch For
Operational security on the attacker’s side was notably weak. Hardcoded tokens, plaintext identifiers, and reused infrastructure all helped analysts track and attribute the activity.
Active beaconing was observed from June 12 to June 22, 2026, giving defenders a window to search for signs of compromise during that period.
There is no patch available. The defense comes down to catching the delivery method and identifying cloud service abuse before data leaves the network.
Acronis published indicators and hunting tips noting persistence Run keys, a scheduled task named SolidPDFPcl2Bmp, and the C2 domain couldinstallup[.]com as key markers to watch. Zoho user agents appearing on non-browser processes are also a reliable red flag.
Government and energy organizations, particularly those involved in cross-border dealings that could attract Beijing’s attention, should stay alert to geopolitical lures and unexpected sideloading from signed binaries.
Security teams should also flag any endpoint process that begins calling cloud APIs it has no legitimate reason to access.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| Domain | couldinstallup[.]com | C2 domain used by MINIRECON implant |
| Scheduled Task | SolidPDFPcl2Bmp | Persistence mechanism created by SHARDLOADER |
| File Name | pl2bmpax.dll | Malicious sideloaded DLL (SHARDLOADER) |
| File Name | txMuiApp.dll | Malicious sideloaded DLL (SHARDLOADER variant) |
| File Name | ZOHOMURK implant (txMuiApp / pl2bmpax variant) | Novel implant abusing Zoho WorkDrive for C2 |
| Registry Key | HKCU Run key (RunOnece) | Persistence Run key with recurring typo used across implants |
| IP Address | 199.209.141.166 | C2 server IP, same AS block tied to Mustang Panda by IBM X-Force |
| User Agent | Zoho WorkDrive API user agent on non-browser processes | Behavioral indicator of ZOHOMURK C2 activity |
| Lure File | Hydropower Cooperation Project Proposal (ZIP) | Spear-phishing lure for Campaign I |
| Lure File | MOI ROSINFO DU TAIWAN.zip | Spear-phishing lure for Campaign II |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
