Mustang Panda Turns Zoho WorkDrive Into Covert C2 Channel Against Indian Government

The Mustang Panda APT group conducted two active espionage campaigns in June 2026 against the Indian government and hydroelectric targets. Acronis Threat Research Unit detected compromises inside Indian government networks, including devices belonging to senior administrative staff, and worked with CERT-In on notification and remediation. The tactical core is the abuse of Zoho WorkDrive, a cloud storage platform widely used in the Indian government sector, repurposed as command-and-control infrastructure that masks malicious traffic as ordinary cloud activity.

How Zoho WorkDrive Became an Invisible C2 Channel

The choice of Zoho WorkDrive is deliberate. The platform is common in the Indian government sector, making its traffic legitimate and expected inside target networks. The ZOHOMURK component — revealed for the first time in this campaign — contains hardcoded Zoho OAuth credentials. These credentials allow authenticated access to a WorkDrive account controlled by the threat actor.

The communication mechanism is a classic dead drop executed on enterprise cloud infrastructure. ZOHOMURK reads commands from the account's inbox folder and writes exfiltrated data to the outbox folder. The resulting traffic appears as normal cloud storage activity, evading network controls based on suspicious domains or protocol anomalies. According to Acronis, as reported by The Hacker News, "the traffic looks like ordinary cloud activity, so it hides inside the very network it's stealing from."

The source does not specify whether the hardcoded OAuth credentials have been revoked by Zoho or remain active at the time of publication. This gap leaves the operational lifespan of the threat an open question.

The Infection Chain: Signed Sideloading and WebSocket Beaconing

Initial delivery occurs through ZIP archives concealing malicious DLLs. Acronis assesses spear-phishing as the likely vector, although the source does not document specific email samples. The thematic lures involve a hydroelectric cooperation proposal and a memorandum of understanding between Indian and Taiwanese institutions, indicating targeted intelligence collection on Indian hydroelectric plans and defense ties with Taiwan.

SHARDLOADER is the loader that kicks off the chain. In one of the two identified campaigns, it uses the legitimate, signed Solid PDF Creator executable to sideload a malicious DLL. In the other campaign, the signed binary is Citrix Receiver. This technique exploits the trust that operating systems and security tools place in binaries signed by known publishers, reducing visibility of malicious execution.

MINIRECON is a reworked variant of the Toneshell backdoor, previously documented by IBM X-Force. The novelty compared to the original version is WebSocket beaconing over HTTPS, a channel that blends into ordinary encrypted web traffic and complicates detection based on network signatures.

The Evidence for Attribution to Mustang Panda

Acronis assigns high-confidence attribution through a combination of technical indicators. The sideloading chain involving Solid PDF Creator has been reused in previous operations by the group. MINIRECON's code overlaps with Toneshell, a backdoor historically associated with Mustang Panda. Command-and-control servers reside in the same infrastructure block network documented by IBM X-Force in connection with the group. Finally, a recurring typo — "RunOnece" instead of "RunOnce" — appears across multiple implants and constitutes a recognizable behavioral pattern.

The attribution remains scoped to the APT group. The dossier does not document direct involvement of Chinese state entities in this specific operation. In April 2026, Acronis had already linked Mustang Panda's LOTUSLITE backdoor to attacks on the Indian banking sector and South Korean political circles, also involving abuse of a legitimate cloud service. This continuity reinforces the tactical pattern but does not extend attribution beyond the group.

"There's no patch to apply. The defense lies in intercepting delivery and cloud abuse." — Acronis Threat Research Unit

Timeline and Indicators of Compromise

Active beaconing was detected from June 12 to June 22, 2026. This interval represents the confirmed observation window, not necessarily the full extent of the campaign, which the source does not quantify. Acronis published specific indicators of compromise: Run registry keys, a scheduled task named SolidPDFPcl2Bmp, the C2 domain couldinstallup[.]com, and the Zoho-associated user-agent anomaly tied to non-browser processes.

The source does not specify the exact number of victims or compromised organizations. No additional malware or persistence tools beyond those identified appear in the dossier, but the lack of confirmation does not equal exclusion.

What to Do Now

The campaign reveals a tactical evolution that shifts the security problem from the network perimeter to endpoint behavior. When the command-and-control channel is a legitimate SaaS service with authenticated, encrypted traffic, blocking suspicious domains becomes ineffective. Detection must move to behavioral correlation: non-browser endpoint processes interacting with cloud APIs in anomalous patterns.

Specific actions derived from the documented case include: monitoring processes that make Zoho WorkDrive API calls without an associated browser; checking for the SolidPDFPcl2Bmp scheduled task on Windows systems; inspecting HTTPS connections to couldinstallup[.]com; analyzing the registry for Run keys containing the "RunOnece" typo; and inspecting inbound ZIP archives containing hidden DLLs, especially with hydroelectric or India-Taiwan themes.

The "living off the land" technique applied to enterprise cloud services reduces infrastructure cost for the attacker and increases operational resilience, since compromise of a single cloud account does not expose the C2 infrastructure to traditional takedown. The dossier does not document specific remedial measures or detailed operational recommendations. The source does not specify the exact nature of exfiltrated data, nor whether other critical Indian sectors beyond government and hydroelectric were involved.

Frequently Asked Questions

Did Mustang Panda exploit a vulnerability in Zoho WorkDrive?

No. The abuse occurs via hardcoded OAuth credentials that authenticate access to an attacker-controlled WorkDrive account. No vulnerability in the Zoho service emerges in the dossier.

Is the campaign still active?

Confirmed beaconing ended on June 22, 2026. The source does not document activity after that date, nor does it state that the campaign has definitively concluded.

What makes ZOHOMURK technically distinct from other cloud-based C2 tools?

The specificity lies in the use of a single enterprise cloud service as a bidirectional dead drop, reading commands from inbox and writing output to outbox, rather than the generic messaging or storage channels often used by other groups.

Information is based on the cited source and current as of publication.

Sources

• https://thehackernews.com/2026/06/mustang-panda-uses-zoho-workdrive-as.html
• https://www.welivesecurity.com/en/eset-research/gopherwhisper-burrow-full-malware/
• https://unit42.paloaltonetworks.com/cl-sta-1062-tinyrct-backdoor/
• https://therecord.media/russia-turla-espionage-ukraine-stockstay-malware
• https://www.eset.com/int/business/services/threat-intelligence/?utm_source=welivesecurity.com&utm_medium=referral&utm_campaign=wls-research&utm_content=gopherwhisper-burrow-full-malware&sfdccampaignid=7011n0000017htTAAQ
• https://thehackernews.com/
• https://thehackernews.com/p/upcoming-hacker-news-webinars.html