Mustang Panda is targeting Indian government and hydropower-related organizations with spear-phishing, sideloading malware, and abuse of Zoho WorkDrive as a covert command channel. Acronis linked the activity to three tools—SHARDLOADER, MINIRECON, and ZOHOMURK—and published indicators to help defenders detect the campaign. #MustangPanda #ZohoWorkDrive #SHARDLOADER #MINIRECON #ZOHOMURK #CERTIn
Keypoints
- Mustang Panda ran two campaigns against Indian government and hydropower targets.
- The group abused Zoho WorkDrive to hide command-and-control traffic inside normal cloud activity.
- SHARDLOADER used signed binaries to sideload a malicious DLL and deploy implants.
- ZOHOMURK used hardcoded Zoho OAuth credentials to read commands and exfiltrate data.
- Acronis and CERT-In found active compromises and shared hunting indicators for defenders.
Read More: https://thehackernews.com/2026/06/mustang-panda-uses-zoho-workdrive-as.html