← All stories
● Covered by 1 source Β· 1 reportHigh impact

Mustang Panda Exploits Zoho WorkDrive in Campaign Against Indian Government

Aggregated by BrevFeed security Β· updated 1d ago
πŸ”– Save

The Mustang Panda group has launched campaigns targeting the Indian government, utilizing Zoho WorkDrive to transmit commands and steal data. This approach leverages legitimate service traffic to mask malicious activities and is part of broader espionage efforts aimed at India's hydropower initiatives and defense relations with Taiwan.

Key points

Overview of Campaigns

Mustang Panda, a China-aligned espionage group, has initiated two campaigns focusing on the Indian government and hydropower sectors. Acronis Threat Research Unit investigated the incidents, uncovering active compromises within government networks, particularly affecting senior administrative personnel.

Malware and Methods

The campaign utilizes a combination of new malware and exploits of legitimate services. Zoho WorkDrive, a popular cloud storage solution in India, is being abused to pass commands to infected devices and to exfiltrate sensitive data, thereby disguising malicious traffic as normal cloud service activity.

Malware Components Identified

Acronis has identified three new tools associated with the campaigns:

- SHARDLOADER, which sideloads a malicious DLL through legitimate binaries;

- MINIRECON, a modified variant of the existing Toneshell backdoor, uses WebSocket for communication;

- ZOHOMURK, which employs hardcoded Zoho OAuth credentials to control a compromised WorkDrive account for executing commands and collecting stolen data.

Delivery and Targeting Mechanism

The malicious payloads are likely delivered via spear-phishing attacks, disguised in ZIP archives featuring hidden DLLs. The themes of these lures align with Indian hydropower proposals and MoUs with Taiwan, indicating the targets' relevance to Mustang Panda's intelligence objectives.

Implications for Indian Security

Acronis attributes these attacks with high confidence to Mustang Panda, highlighting a significant vulnerability in India's defense sector against espionage efforts. This incident reflects a continuing trend of targeting critical infrastructure, aiming to gather intelligence on India's strategic plans and global partnerships.

✨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β€” check the original sources. How BrevFeed works β†’

Reporting from

The Mustang Panda group has launched campaigns targeting the Indian government, utilizing Zoho WorkDrive to transmit commands and steal data. This approach leverages legitimate service traffic to mask malicious activities and is part of broader espionage efforts aimed at India's hydropower initiatives and defense relations with Taiwan.