A new security advisory has highlighted two targeted cyber campaigns linked to the China-aligned threat group known as Mustang Panda. The activity reportedly focused on Indian government organisations and entities connected to the hydropower sector, with attackers using phishing emails, malware implants, and legitimate cloud services to maintain access and move stolen information.
What makes this campaign particularly notable is its use of Zoho WorkDrive. Rather than relying only on obviously suspicious infrastructure, the attackers allegedly used a well-known cloud storage platform as part of their operation. This approach can make malicious activity harder to spot because the traffic may resemble normal business use of cloud services.
A Campaign Built Around Trust and Familiar Services
According to the advisory, the attacks were aimed at Indian government networks, including systems used by senior administrative personnel. The report also links the campaign themes to India's hydropower initiatives and its defence cooperation with Taiwan, suggesting that the activity was primarily espionage-driven rather than financially motivated.
The attackers reportedly began with spear-phishing emails that delivered ZIP archives disguised as legitimate-looking documents. These files used topics related to hydropower projects and official cooperation agreements, which could make them appear credible to a recipient who regularly handles government, infrastructure, or cross-border collaboration material.
This is a common reminder that phishing does not always arrive as an obvious scam. In highly targeted attacks, the subject matter is often tailored to the victim's work, industry, or current projects.
Hidden Files and DLL Sideloading Formed Part of the Attack Chain
The report identifies a malware loader called SHARDLOADER as part of the attack process. It allegedly uses DLL sideloading, a technique where a legitimate signed application is tricked into loading a malicious file placed alongside it.
In these cases, the attackers reportedly abused trusted software components associated with applications such as Solid PDF Creator and Citrix Receiver. Because the executable itself may appear legitimate, this technique can be more difficult for basic security tools to detect than a plainly malicious program.
The attack diagrams in the advisory show a sequence beginning with a phishing email and compressed archive, before leading to a malicious executable and DLL sideloading activity. From there, the malware deploys further implants designed to communicate with the attackers or collect information from the compromised environment.
Zoho WorkDrive Allegedly Used as a Command Channel
One of the newly identified components, called ZOHOMURK, is described as a malware tool designed to use Zoho WorkDrive for command-and-control activity and data exfiltration.
Instead of communicating only with a suspicious server, the malware reportedly uses hardcoded Zoho OAuth credentials to access an attacker-controlled WorkDrive account. It can then check a cloud folder for instructions and upload collected data to another folder.
This method effectively turns a legitimate cloud storage service into a hidden communications channel. For defenders, that creates an added challenge because blocking all cloud-storage traffic may not be practical in an organisation where employees rely on those platforms for daily work.
The advisory also identifies MINIRECON, which is described as a reworked version of the Toneshell backdoor. It reportedly communicates over encrypted HTTPS-based WebSocket connections, helping the traffic blend into ordinary web activity.
Why This Campaign Matters
The campaign shows how modern threat actors increasingly mix malicious tools with legitimate services. Instead of hosting everything on a clearly suspicious server, attackers can take advantage of trusted applications, cloud platforms, signed executables, and encrypted web connections.
For organisations, this means cybersecurity monitoring cannot focus only on known malicious domains or blocked file types. Security teams also need to understand what normal use of cloud platforms looks like inside their environment. A sudden increase in uploads, unusual access outside office hours, or a workstation connecting to an unfamiliar cloud tenant could all be warning signs.
This is especially relevant for government agencies, energy providers, healthcare organisations, financial institutions, and other sectors that handle sensitive information or critical services.
Recommended Defensive Measures
The advisory recommends several practical measures to reduce the risk of similar attacks:
• Monitor outbound cloud traffic for unusual upload volumes, off-hours connections, suspicious API activity, or unexpected destinations.
• Use EDR tools to detect unusual DLL sideloading behaviour, especially trusted applications loading unverified DLL files.
• Apply application whitelisting on sensitive endpoints so only authorised programs can run.
• Limit local administrator privileges to reduce the impact of an initial compromise.
Final Thoughts
The Mustang Panda campaign is another example of why phishing awareness, endpoint monitoring, and cloud-security visibility all need to work together. The use of Zoho WorkDrive does not mean the service itself is unsafe; rather, it shows how attackers can misuse legitimate platforms when organisations do not have sufficient controls around external tenants, cloud access, and abnormal data movement.
For security teams, the key lesson is clear: trusted tools and encrypted traffic should not automatically be treated as harmless. Context matters, and unusual behaviour around otherwise legitimate services can be just as important as detecting known malware.


Comments