Threat Actors Abuse Legitimate Cloud Platform to Conduct Espionage Against Indian Government, Zoho - Drive
Mustang Panda Turns Cloud Storage Into a Spy Tool in Dual Campaign Against India
A Chinese state-aligned hacking group known as Mustang Panda has launched two simultaneous operations targeting Indian government agencies and energy infrastructure, introducing a fresh set of malware tools and weaponizing a widely used cloud platform to blend its malicious traffic into normal network activity.
Researchers at Acronis Threat Research Unit uncovered active intrusions within Indian government networks — including systems operated by senior administrative personnel — and coordinated with India's national cybersecurity agency, CERT-In, to contain and remediate the damage.
At the center of both campaigns is an abuse of Zoho WorkDrive, a cloud storage platform with a significant footprint in India's public sector. Rather than relying on traditional command infrastructure, attackers routed instructions and stolen data through a WorkDrive account they controlled, effectively camouflaging espionage traffic as routine cloud usage.
Three New Tools, One Familiar Playbook
Acronis identified three previously undocumented malware components powering the operation.
The first, dubbed SHARDLOADER, serves as the initial-stage loader. It exploits DLL sideloading — hiding a malicious library inside a process launched by a legitimately signed application. Depending on the campaign, that application was either a Solid PDF Creator executable or a Citrix Receiver binary. Once executed, SHARDLOADER delivers one of two follow-on implants.
The second tool, MINIRECON, is a retooled version of the Toneshell backdoor previously analyzed by IBM X-Force. The updated variant communicates with its operators over a WebSocket connection wrapped in HTTPS, giving it a more modern and harder-to-detect beaconing mechanism.
The third and most novel component is ZOHOMURK. It arrives with Zoho OAuth credentials hardcoded directly into the binary, which it uses to authenticate against an attacker-controlled WorkDrive account. Commands are deposited into an inbox folder; harvested data is written back to an outbox. The entire exchange looks, to a network monitor, like an employee syncing files.
Delivery and Intent
Both campaigns are believed to have been launched via spear-phishing, with victims receiving ZIP archives containing the malicious DLL concealed as a hidden file. The lures were tailored to their targets: one posed as a hydropower cooperation proposal, the other mimicked a memorandum of understanding between Indian and Taiwanese institutions — a topic with obvious geopolitical sensitivity.
Acronis assesses with high confidence that Mustang Panda is behind the activity, pointing to several technical overlaps: a recycled Solid PDF Creator sideloading chain, shared code with known Toneshell samples, command servers hosted on network infrastructure previously attributed to the group by IBM X-Force, and an identical typo — "RunOnece" — embedded across multiple implants.
The group's operational security left much to be desired. Hardcoded tokens, plaintext identifiers, and reused network infrastructure gave analysts multiple threads to pull. Beaconing activity was observed between June 12 and June 22, 2026.
A Sustained Focus on India
This is not an isolated effort. In April, Acronis linked Mustang Panda to a separate campaign deploying its LOTUSLITE backdoor against India's banking sector and South Korean policy institutions — again using a legitimate cloud service as cover. Chinese-linked interest in Indian critical infrastructure stretches back even further: the 2021 RedEcho campaign targeted India's power grid using ShadowPad malware.
What Defenders Should Do
There is no software patch that stops this. The attack relies on abuse of legitimate tools and trusted binaries, so defenders need to focus on catching early delivery and identifying unusual cloud API activity.
Acronis has released a set of indicators and detection guidance. Key markers include persistence entries in Windows Run registry keys, a scheduled task named SolidPDFPcl2Bmp, the command-and-control domain couldinstallup[.]com, and Zoho user agent strings appearing in processes that have no legitimate reason to call cloud services.
Organizations in government and energy — particularly those engaged in cross-border agreements likely to attract Beijing's attention — should treat geopolitically themed email lures with heightened suspicion, scrutinize any signed binary that loads unexpected DLLs, and monitor endpoints for unusual outbound calls to cloud storage platforms.
