Mustang Panda targets India’s government and energy sectors with ZOHOMURK and MINIRECON

Mustang Panda targets India’s government and energy sectors with ZOHOMURK and MINIRECON
Acronis TRU tracked two Mustang Panda espionage campaigns against Indian government and hydropower targets, using spear-phishing archives, DLL sideloading, and newly identified implants SHARDLOADER, MINIRECON, and ZOHOMURK. The operators abused Zoho WorkDrive for command-and-control and data theft, while TRU found active compromises, shared findings with CERT-In, and linked the activity to Mustang Panda’s China-aligned operations. #MustangPanda #ZohoWorkDrive #SHARDLOADER #MINIRECON #ZOHOMURK #CERT-In

Keypoints

  • Two concurrent Mustang Panda campaigns targeted Indian government entities and hydropower-related victims.
  • The campaigns used spear-phishing ZIP archives with hidden malicious DLLs and legitimate signed launchers for DLL sideloading.
  • TRU identified a new loader family, SHARDLOADER, which staged and launched the next-stage implants.
  • MINIRECON is a Toneshell-derived implant that uses WebSocket over HTTPS for command-and-control and supports reverse shell and file transfer features.
  • ZOHOMURK uses Zoho WorkDrive for C2, victim registration, tasking, and exfiltration, while also using persistence and anti-analysis checks.
  • TRU observed active beaconing from compromised Indian government systems and collaborated with CERT-In for mitigation and victim notification.
  • Attribution to Mustang Panda is supported by overlapping tooling, infrastructure patterns, code reuse, and recurring tradecraft.

MITRE Techniques

  • [T1566.001 ] Spearphishing Attachment – Lure ZIP archives were likely delivered via spear-phishing to entice execution (‘Hydropower Cooperation Project Proposal.zip’, ‘MOU USI-INDSR TAIWAN.zip’).
  • [T1574.002 ] DLL Side-Loading – Legitimate signed executables loaded malicious DLLs to execute attacker code (‘Windows automatically loads the attacker-controlled DLL during startup’).
  • [T1547.001 ] Registry Run Keys / Startup Folder – Persistence was achieved by creating Run keys in HKCU (‘creates a Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun’).
  • [T1055 ] Process Injection – The malicious DLL executed under the context of a trusted application through sideloading (‘allowing SHARDLOADER v1.0 to execute under the context of a trusted application’).
  • [T1059.003 ] Windows Command Shell – ZOHOMURK created and wrote commands to an interactive shell pipe (‘creates one’, ‘writes it to the stdin pipe’).
  • [T1105 ] Ingress Tool Transfer – Payloads and command files were downloaded, staged, and uploaded via cloud storage (‘downloads it to a temporary file named readata.dat’, ‘uploads the result’).
  • [T1027 ] Obfuscated Files or Information – Shellcode and blobs were stored in obfuscated/encoded form and decrypted at runtime (‘stores its shellcode in an obfuscated form within the .rdata section’).
  • [T1140 ] Deobfuscate/Decode Files or Information – Shellcode and payloads were decrypted using XOR and RC4 (‘applies a rolling XOR’, ‘uses RC4 to decrypt an encrypted blob’).
  • [T1106 ] Native API – Native Windows APIs were used for execution and communication (‘EnumSystemLocalesA’, ‘WinHTTP API’).
  • [T1053.005 ] Scheduled Task – Task Scheduler COM was used for persistence (‘register for a scheduled task named SolidPDFPcl2Bmp’).
  • [T1497.003 ] Time Based Evasion – Timing checks were used to detect analysis and debugging (‘measuring the execution time of a 64-iteration dummy loop’).
  • [T1021.001 ] Remote Desktop Protocol – Not mentioned; omitted.
  • [T1090.001 ] Internal Proxy – The implant attempted proxy fallback by enumerating local proxy settings (‘attempts to route traffic through them’).
  • [T1071.001 ] Web Protocols – MINIRECON used WebSocket over HTTPS for C2 (‘establishes a WebSocket connection over HTTPS’).
  • [T1102.001 ] Web Service – ZOHOMURK abused Zoho WorkDrive and Zoho OAuth services for C2 and exfiltration (‘leverages Zoho WorkDrive for command-and-control’).
  • [T1056.001 ] Keylogging – Not mentioned; omitted.
  • [T1016 ] System Network Configuration Discovery – The implant retrieved public IP/hostname details and enumerated proxy settings (‘retrieved from IPInfo’, ‘enumerates locally configured proxy settings’).
  • [T1082 ] System Information Discovery – Victim enumeration included hostname and public IP collection (‘combining the hostname… with the system’s public IP address’).
  • [T1219 ] Remote Access Software – Not mentioned; omitted.

Indicators of Compromise

  • [SHA256 ] Archive and malware sample hashes – cd9397797216fd4c08df324937509124e57258328c8e4c6d795c6a2cd25b69b0, 5f22ec5c14dfd47c92850a5fb3bd8e3754d538b8021b6238238e4020336cfb5c
  • [SHA256 ] Additional sample hashes – F53fd0626404a129dcddb8ee7589387dd7bda7999814e0df46c670af6b3da5f5, F2bed071676feb831ed460489643fd57f6c6c1e0d024a1ea447820276fb13828
  • [Domain ] C2 and infrastructure – couldinstallup[.]com
  • [IP address ] C2 hosting infrastructure – 188.208.141.177, and related subnet reference 188.208.141.196
  • [File names ] Lure and payload files – Hydropower Cooperation Project Proposal.zip, MOU USI-INDSR TAIWAN.zip
  • [File names ] Dropped or loaded binaries – Project Proposal.exe, MediumInstStart.exe, SolidPDFCreator.dll, pcl2bmp.exe, ctxmui.dll, readata.dat
  • [Registry keys ] Persistence locations – HKCUSoftwareMicrosoftWindowsCurrentVersionRunMediumNetMonIt, HKCUSoftwareMicrosoftWindowsCurrentVersionRunMicrosoftEdgeUpdateBrokerTask, HKCUSoftwareMicrosoftWindowsCurrentVersionRunZohoUsingUpdataAnyssAll_RunOnece
  • [Scheduled task ] Persistence task – SolidPDFPcl2Bmp, trigger Pcl2BmpDailyTrigger, repetition PT5M
  • [Mutex / named event ] Anti-analysis and coordination artifacts – uydgcfteionxcfd, LocalMS_Edge_Update_Task_Service_Sync, ZohoUsingUpdataAnyssAll_event
  • [Paths ] Staging and execution directories – C:ProgramDataIDMlogs, C:ProgramDataCitrix, C:UsersPublicDocuments, %LOCALAPPDATA%MicrosoftVaultCache, %LOCALAPPDATA%ZohoUsing
  • [URLs / API endpoints ] Zoho and IP lookup services – accounts[.]zoho[.]com/oauth/v2/token, workdrive[.]zoho[.]com/api/v1/files/{folder_id}/files, www[.]zohoapis[.]com/workdrive/api/v1/files, http[:]//ipinfo[.]io/ip
  • [User-Agent strings ] Network fingerprinting – Zoho Client/1.0, Zoho API C-Client/1.0, Zoho API Client/1.0, Zoho-C-Uploader/2.0, IPFetcher/1.0


Read more: https://www.acronis.com/en/tru/posts/mustang-panda-targets-indias-government-and-energy-sectors/