How the Attack Works
A China aligned threat group known as Mustang Panda is conducting two parallel espionage campaigns targeting Indian government networks and hydropower facilities. The operation leverages Zoho WorkDrive, a legitimate cloud storage platform widely used in India’s government sector, as a command and control channel. By blending malicious traffic with normal cloud storage activity, the attackers conceal their data exfiltration and command relay within routine network traffic.
New Malware Tools Deployed
Acronis Threat Research Unit identified three new malware variants used in the operation. SHARDLOADER is a loader that achieves execution through DLL sideloading, using signed binaries from Solid PDF Creator or Citrix Receiver. It delivers two payloads: MINIRECON, an updated version of the Toneshell backdoor that uses WebSocket over HTTPS for beaconing, and ZOHOMURK, a custom tool with hardcoded Zoho OAuth credentials. ZOHOMURK uses an attacker controlled WorkDrive account as a dead drop, reading commands from an inbox folder and writing stolen data to an outbox.
Impact and Scope
Active compromises were discovered inside Indian government networks, including machines used by senior administrative staff. The lures for initial access are tailored ZIP archives themed around a hydropower cooperation proposal and a memorandum of understanding between Indian and Taiwanese institutions. Acronis worked with CERT-In on notification and remediation. Beaconing activity was observed from June 12 to June 22, 2026. Defenders should monitor for persistence mechanisms such as Run keys, the scheduled task SolidPDFPcl2Bmp, the C2 domain couldinstallup[.]com, and any endpoint processes calling cloud APIs without legitimate reason.
Source: The Hacker News
