| At a glance | |
|---|---|
| Group | Mustang Panda (China-aligned APT; also tracked as Hive0154) |
| Activity | Cyberespionage, spear-phishing, cloud-service C2 abuse |
| Targets | Indian government entities and the hydropower/energy sector |
| Scale | Active compromises in government networks, including senior staff; beaconing June 12–22, 2026 |
| Status | State-aligned espionage; no arrests; coordinated with CERT-In |
| Source | Acronis Threat Research Unit (TRU) |
TL;DR
Mustang Panda is running two spy campaigns against India’s government and hydropower sector. Acronis researchers found the group abusing Zoho WorkDrive, a trusted cloud service, as its command channel. The operators deployed three new malware tools and reached senior officials’ machines.
What happened
Acronis Threat Research Unit (TRU) uncovered two linked campaigns aimed at Indian targets. Both arrived as ZIP archives that hid a malicious DLL, sent through spear-phishing. One lure posed as a hydropower cooperation proposal. The other posed as an India-Taiwan memorandum of understanding.
The motive looks clear. According to Acronis, the operators sought intelligence on India’s hydropower plans and its defense ties with Taiwan.
How the attack works

The chain starts with DLL sideloading. A signed Solid PDF Creator binary loads a malicious DLL that Acronis tracks as SHARDLOADER. In the second campaign, a signed Citrix Receiver binary plays the same role.
SHARDLOADER then drops two implants. MINIRECON, built on the older Toneshell family, talks to its server over a WebSocket channel and skips certificate checks. ZOHOMURK is the standout. It carries hardcoded Zoho OAuth tokens and turns a WorkDrive account into a dead drop. The implant reads commands from an inbox folder and writes stolen data to an outbox.
Each variant also fights analysis and digs in for the long haul. ZOHOMURK runs a timing check to spot debuggers before it writes anything to disk. For persistence, the loaders plant Run keys, while one variant registers a scheduled task that fires every five minutes. A heartbeat thread even rebuilds the cloud folders if an operator wipes them.
Why the cloud abuse matters
The trick hides the theft in plain sight. Zoho WorkDrive is common across India’s government sector. So malicious traffic to it blends with normal cloud activity. That makes detection harder for teams watching for odd outbound connections.
Who is behind the Mustang Panda campaigns
Acronis attributes both campaigns to Mustang Panda with high confidence. The call rests on shared tradecraft, code overlaps with Toneshell, and reused infrastructure. As the researchers state, “TRU assesses with high confidence that the activity is espionage-motivated.”
Several clues line up. One command server sat in the same network block that IBM X-Force tied to the group. A misspelled string, “RunOnece,” appears across multiple implants. The signed Solid PDF Creator sideloading trick also matches earlier operations. Public reporting has long linked Mustang Panda to China and to activity that serves its strategic interests. Notably, the operators slipped up in ways that helped analysts: hardcoded tokens, plaintext identifiers, and reused servers all aided attribution.
Impact and scale
The damage is real, not theoretical. TRU found active beaconing from several compromised Indian government systems. Some belonged to senior administrative staff. The infrastructure stayed live and tasked between June 12 and June 22, 2026.
TRU worked with CERT-In, India’s national cyber agency, on victim notification and cleanup. The team redacted victim details before sharing data. This fits a wider pattern. In April, Acronis tied the group’s LOTUSLITE backdoor to attacks on India’s banking sector and South Korean policy circles. China-aligned interest in India’s power grid stretches back further still, to the 2021 ShadowPad campaign.
How to stay protected
There is no single patch here. Instead, the defense lies in catching the delivery and the cloud abuse. Treat geopolitically themed attachments with caution, especially in government and energy roles. Then enforce application controls that flag DLL sideloading from user-writable folders.
Acronis also published indicators and hunting tips. Watch for the persistence Run keys, the scheduled task named SolidPDFPcl2Bmp, and the domain couldinstallup[.]com. Also flag Zoho user agents that show up on non-browser processes. Acronis warns that attackers increasingly hide command-and-control inside trusted cloud platforms, so visibility into that activity now matters more than ever.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.