Mustang Panda Uses Zoho WorkDrive as Command Channel in Indian Government Attacks
The China-aligned espionage groupĀ Mustang Panda Ā is running two campaigns against the Indian government and hydropower targets, deploying new malware and turning a legitimate cloud service into its command channel. Acronis Threat Research Unit Ā found active compromises inside Indian government networks, including machines used by senior administrative staff, and worked withĀ CERT-In Ā on notification and cleanup. The malware abusesĀ Zoho WorkDrive , a cloud storage platform common in India's government sector, to pass commands and exfiltrate data. That is the whole idea: the traffic looks like ordinary cloud activity, so it hides inside the network it is stealing from. Acronis names three new tools. SHARDLOADER is a loader that runs by sideloading a malicious DLL through a legitimately signed binary, a Solid PDF Creator executable in one campaign, and a Citrix Receiver binary in the other. It deploys one of two implants. MINIRECON is a rewor...
ī Jun 29, 2026