The Mustang Panda group has launched campaigns targeting the Indian government, utilizing Zoho WorkDrive to transmit commands and steal data. This approach leverages legitimate service traffic to mask malicious activities and is part of broader espionage efforts aimed at India's hydropower initiatives and defense relations with Taiwan.
Mustang Panda, a China-aligned espionage group, has initiated two campaigns focusing on the Indian government and hydropower sectors. Acronis Threat Research Unit investigated the incidents, uncovering active compromises within government networks, particularly affecting senior administrative personnel.
The campaign utilizes a combination of new malware and exploits of legitimate services. Zoho WorkDrive, a popular cloud storage solution in India, is being abused to pass commands to infected devices and to exfiltrate sensitive data, thereby disguising malicious traffic as normal cloud service activity.
Acronis has identified three new tools associated with the campaigns:
- SHARDLOADER, which sideloads a malicious DLL through legitimate binaries;
- MINIRECON, a modified variant of the existing Toneshell backdoor, uses WebSocket for communication;
- ZOHOMURK, which employs hardcoded Zoho OAuth credentials to control a compromised WorkDrive account for executing commands and collecting stolen data.
The malicious payloads are likely delivered via spear-phishing attacks, disguised in ZIP archives featuring hidden DLLs. The themes of these lures align with Indian hydropower proposals and MoUs with Taiwan, indicating the targets' relevance to Mustang Panda's intelligence objectives.
Acronis attributes these attacks with high confidence to Mustang Panda, highlighting a significant vulnerability in India's defense sector against espionage efforts. This incident reflects a continuing trend of targeting critical infrastructure, aiming to gather intelligence on India's strategic plans and global partnerships.
β¨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β check the original sources. How BrevFeed works β
The Mustang Panda group has launched campaigns targeting the Indian government, utilizing Zoho WorkDrive to transmit commands and steal data. This approach leverages legitimate service traffic to mask malicious activities and is part of broader espionage efforts aimed at India's hydropower initiatives and defense relations with Taiwan.