The China-aligned espionage group Mustang Panda is currently conducting campaigns against Indian government networks and hydropower infrastructure. The group leverages Zoho WorkDrive, a legitimate cloud storage service, to camouflage its command-and-control traffic and data exfiltration as ordinary cloud activity. The attack chain involves spear-phishing ZIP archives that utilize DLL sideloading through signed binaries like Citrix and Solid PDF Creator to deploy specialized implants.
Researchers identified three primary tools in this campaign: SHARDLOADER, MINIRECON, and ZOHOMURK. ZOHOMURK is particularly notable for using hardcoded OAuth credentials to turn Zoho WorkDrive accounts into dead drops for commands and stolen data. While the group's operational security was relatively weak—revealed by hardcoded tokens and recurring typos—the campaign remains a significant threat to India's energy sector and geopolitical interests.
Top comments (0)