Active beaconing ran from June 12 to June 22, 2026, as a China-aligned espionage group covertly used a legitimate cloud service to steal information from Indian government machines.
How Mustang Panda used Zoho WorkDrive as a dead-drop
Acronis Threat Research Unit reports that the intrusions abused Zoho WorkDrive to hide command-and-control and data exfiltration inside routine cloud traffic. A novel implant Acronis calls ZOHOMURK carries hardcoded Zoho OAuth credentials and operates an attacker-controlled WorkDrive account as a dead drop: it reads commands from an inbox folder and writes stolen output to an outbox. That traffic, Acronis warns, looks like ordinary cloud activity on networks where Zoho is common in the government sector, making detection harder.
The malware toolkit: SHARDLOADER, MINIRECON, ZOHOMURK
Acronis identified three tools used in the campaigns. SHARDLOADER is a loader that sideloads a malicious DLL through legitimately signed binaries — in one campaign via a Solid PDF Creator executable, in the other via a Citrix Receiver binary — and it deploys one of two implants. MINIRECON is a reworked variant of the Toneshell backdoor previously documented by IBM X-Force; Acronis says MINIRECON now beacons over a WebSocket connection on HTTPS. ZOHOMURK, the novel piece, embeds Zoho OAuth tokens and uses WorkDrive as the command channel and data repository.
Targets, lures, and delivery
Acronis found active compromises inside Indian government networks, including machines used by senior administrative staff, and worked with CERT‑In on notification and cleanup. The campaigns comprised two themes tailored to their victims: one lure focused on a hydropower cooperation proposal, the other on a memorandum of understanding between Indian and Taiwanese institutions. Both arrived as ZIP archives with the malicious DLL marked hidden; Acronis believes the ZIPs were delivered by spear‑phishing.
Operational security failures that enabled attribution
Acronis attributes the activity to Mustang Panda with high confidence and lays out the technical ties it used to reach that conclusion: reuse of the Solid PDF Creator sideloading chain; code overlap with Toneshell; command servers colocated in the same network block as infrastructure IBM X‑Force has tied to the group; and a recurring typo, RunOnece, carried across multiple implants. Analysts also benefited from thin operational security on the attackers’ side — hardcoded tokens, plaintext identifiers, and reused infrastructure — which made linking the pieces straightforward. The report places the active beaconing window at June 12–22, 2026.
What this means for the Indian government, energy organizations, and CERT‑In
- Indian government networks — Hunt for the specific indicators Acronis published: persistence Run keys, a scheduled task named SolidPDFPcl2Bmp, the C2 domain couldinstallup[.]com, and Zoho user agents appearing on non‑browser processes.
- Energy organizations involved in cross‑border deals — Expect geopolitically themed lures (hydropower cooperation proposals, MoUs) and watch for signed‑binary sideloading chains like the Solid PDF Creator and Citrix Receiver abuses described by Acronis.
- CERT‑In — Acronis worked directly with CERT‑In on notification and cleanup; continued rapid information sharing and tracking of cloud‑service abuse will be central because “there is no patch to apply,” meaning defenses must focus on catching delivery and cloud abuse.
The report places this activity in a broader pattern. In April, Acronis tied a Mustang Panda LOTUSLITE backdoor to attacks on India’s banking sector and South Korean policy circles that also used a legitimate cloud service as part of the staging. Acronis also notes that China‑linked interest in India’s power sector predates these campaigns; the 2021 RedEcho campaign targeted the country’s electricity grid using ShadowPad.
For defenders, the lesson Acronis emphasizes is specific: watch for geopolitical lures, sideloading from signed binaries, and any endpoint process calling cloud APIs it has no business touching. With no software patch to push, the immediate work is detection — hunting for the persistence Run keys, the SolidPDFPcl2Bmp scheduled task, the couldinstallup[.]com domain, and Zoho user agents on non‑browser processes — and cleaning active compromises in concert with CERT‑In.
Read the original report: https://thehackernews.com/2026/06/mustang-panda-uses-zoho-workdrive-as.html
