Acronis Threat Research Unit has uncovered two active cyber espionage campaigns conducted by the China aligned threat group Mustang Panda, targeting Indian government organizations and the country’s hydropower sector. According to the company’s latest findings, the attackers deployed newly identified malware while using Zoho WorkDrive, a legitimate cloud storage platform widely used across India’s government sector, as a covert command and control channel. Acronis said the investigation revealed active compromises within Indian government networks, including systems used by senior administrative personnel. The company worked with CERT In to notify affected organizations and assist with response and cleanup efforts. Researchers explained that by abusing a trusted cloud service already present in many government environments, the attackers were able to disguise malicious communications as legitimate cloud traffic, making the activity significantly more difficult to detect during normal network monitoring.
The investigation identified three previously undocumented malware components used throughout the campaigns. The first, named SHARDLOADER, functions as a malware loader that executes by sideloading a malicious dynamic link library through legitimately signed software. In one campaign, the attackers used a Solid PDF Creator executable, while the second campaign relied on a Citrix Receiver binary to launch the malicious code. SHARDLOADER then deployed one of two payloads. The second tool, MINIRECON, is described as a modified version of the Toneshell backdoor previously documented by IBM X Force. Unlike earlier variants, MINIRECON communicates through encrypted WebSocket connections over HTTPS, allowing the malware to maintain stealthier communications with attacker infrastructure. The third and most significant tool, ZOHOMURK, contains hardcoded Zoho OAuth credentials that enable attackers to access an attacker controlled Zoho WorkDrive account. The malware retrieves commands from a designated inbox folder and uploads stolen information to a corresponding outbox folder, effectively transforming the cloud storage service into a hidden communication channel for espionage operations. Both campaigns were delivered through ZIP archive files containing hidden malicious DLL files, with Acronis assessing that spear phishing emails served as the initial infection vector. The phishing lures were tailored to the intended victims, including documents referencing a hydropower cooperation proposal and a memorandum of understanding involving Indian and Taiwanese institutions.
Acronis stated that the primary objective of the campaigns was to collect intelligence related to India’s hydropower development plans and defense cooperation with Taiwan. The company attributed the activity to Mustang Panda with high confidence based on multiple technical indicators and infrastructure overlaps. Researchers identified reuse of the Solid PDF Creator sideloading chain, code similarities with the Toneshell malware family, and command infrastructure located within the same network ranges previously associated by IBM X Force with Mustang Panda operations. Analysts also observed a recurring programming typo, “RunOnece,” which appeared consistently across several malware samples and further strengthened the attribution. Operational security mistakes by the attackers also assisted investigators during the analysis. Hardcoded authentication tokens, plaintext identifiers, and reused infrastructure enabled researchers to map the campaign more effectively. According to the report, active beaconing activity linked to the malware occurred between June 12 and June 22, 2026, allowing investigators to observe communications between compromised systems and attacker controlled infrastructure during the active phase of the operation.
The newly identified campaigns continue a pattern of cyber espionage activities attributed to Mustang Panda against Indian organizations. Earlier in April, Acronis linked the group’s LOTUSLITE backdoor to attacks targeting India’s banking sector and policy organizations in South Korea, with those operations also relying on legitimate cloud services to conceal malicious activity. Researchers also noted that Chinese linked interest in India’s energy infrastructure extends back several years, including the RedEcho campaign in 2021, during which ShadowPad malware targeted the country’s electricity grid. Acronis emphasized that there is no software patch capable of preventing this type of attack because the campaigns rely primarily on social engineering, trusted applications, and legitimate cloud platforms. Instead, organizations are advised to strengthen detection capabilities by monitoring spear phishing attempts, suspicious sideloading activity involving signed software, unusual persistence mechanisms such as scheduled tasks named SolidPDFPcl2Bmp and persistence Run registry keys, communications with the command domain couldinstallup[.]com, and Zoho related user agents appearing in non browser processes. Government agencies and energy sector organizations, particularly those involved in international cooperation projects, are also encouraged to remain alert to geopolitically themed phishing lures and unexpected endpoint processes attempting to communicate with cloud application programming interfaces that are unrelated to normal business operations.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
