Mustang Panda Abuses Zoho WorkDrive in Espionage Attacks on India’s Government
ID: cd372fcd-f8d0-5cbb-928c-6b25a40a170d
STIX ID: report--cd372fcd-f8d0-5cbb-928c-6b25a40a170d
Feed Name: securityonline.info
Mustang Panda (China‑aligned APT) conducted two spear‑phishing campaigns against Indian government and hydropower targets, delivering ZIP attachments that sideloaded malicious DLLs (via signed binaries) to deploy SHARDLOADER, MINIRECON and ZOHOMURK. ZOHOMURK abused Zoho WorkDrive with hardcoded OAuth tokens to use cloud folders as a dead‑drop C2, while implants exhibited persistence, anti‑analysis checks, and active beaconing to senior officials’ machines between June 12–22, 2026; Acronis TRU coordinated remediation with CERT‑In and published indicators and hunting guidance.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
