logo

Mustang Panda Abuses Zoho WorkDrive in Espionage Attacks on India’s Government

ID: cd372fcd-f8d0-5cbb-928c-6b25a40a170d

STIX ID: report--cd372fcd-f8d0-5cbb-928c-6b25a40a170d

Feed Name: securityonline.info

Threat Score
90/100

Date Published: 2026-07-02

Date Updated: 2026-07-02

Author: Do Son

...
...

Mustang Panda (China‑aligned APT) conducted two spear‑phishing campaigns against Indian government and hydropower targets, delivering ZIP attachments that sideloaded malicious DLLs (via signed binaries) to deploy SHARDLOADER, MINIRECON and ZOHOMURK. ZOHOMURK abused Zoho WorkDrive with hardcoded OAuth tokens to use cloud folders as a dead‑drop C2, while implants exhibited persistence, anti‑analysis checks, and active beaconing to senior officials’ machines between June 12–22, 2026; Acronis TRU coordinated remediation with CERT‑In and published indicators and hunting guidance.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.