Acronis TRU tracked two Mustang Panda espionage campaigns against Indian government and hydropower targets, using spear-phishing archives, DLL sideloading, and newly identified implants SHARDLOADER, MINIRECON, and ZOHOMURK. The operators abused Zoho WorkDrive for command-and-control and data theft, while TRU found active compromises, shared findings with CERT-In, and linked the activity to Mustang Panda’s China-aligned operations. #MustangPanda #ZohoWorkDrive #SHARDLOADER #MINIRECON #ZOHOMURK #CERT-In
Keypoints
- Two concurrent Mustang Panda campaigns targeted Indian government entities and hydropower-related victims.
- The campaigns used spear-phishing ZIP archives with hidden malicious DLLs and legitimate signed launchers for DLL sideloading.
- TRU identified a new loader family, SHARDLOADER, which staged and launched the next-stage implants.
- MINIRECON is a Toneshell-derived implant that uses WebSocket over HTTPS for command-and-control and supports reverse shell and file transfer features.
- ZOHOMURK uses Zoho WorkDrive for C2, victim registration, tasking, and exfiltration, while also using persistence and anti-analysis checks.
- TRU observed active beaconing from compromised Indian government systems and collaborated with CERT-In for mitigation and victim notification.
- Attribution to Mustang Panda is supported by overlapping tooling, infrastructure patterns, code reuse, and recurring tradecraft.
MITRE Techniques
- [T1566.001 ] Spearphishing Attachment – Lure ZIP archives were likely delivered via spear-phishing to entice execution (‘Hydropower Cooperation Project Proposal.zip’, ‘MOU USI-INDSR TAIWAN.zip’).
- [T1574.002 ] DLL Side-Loading – Legitimate signed executables loaded malicious DLLs to execute attacker code (‘Windows automatically loads the attacker-controlled DLL during startup’).
- [T1547.001 ] Registry Run Keys / Startup Folder – Persistence was achieved by creating Run keys in HKCU (‘creates a Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun’).
- [T1055 ] Process Injection – The malicious DLL executed under the context of a trusted application through sideloading (‘allowing SHARDLOADER v1.0 to execute under the context of a trusted application’).
- [T1059.003 ] Windows Command Shell – ZOHOMURK created and wrote commands to an interactive shell pipe (‘creates one’, ‘writes it to the stdin pipe’).
- [T1105 ] Ingress Tool Transfer – Payloads and command files were downloaded, staged, and uploaded via cloud storage (‘downloads it to a temporary file named readata.dat’, ‘uploads the result’).
- [T1027 ] Obfuscated Files or Information – Shellcode and blobs were stored in obfuscated/encoded form and decrypted at runtime (‘stores its shellcode in an obfuscated form within the .rdata section’).
- [T1140 ] Deobfuscate/Decode Files or Information – Shellcode and payloads were decrypted using XOR and RC4 (‘applies a rolling XOR’, ‘uses RC4 to decrypt an encrypted blob’).
- [T1106 ] Native API – Native Windows APIs were used for execution and communication (‘EnumSystemLocalesA’, ‘WinHTTP API’).
- [T1053.005 ] Scheduled Task – Task Scheduler COM was used for persistence (‘register for a scheduled task named SolidPDFPcl2Bmp’).
- [T1497.003 ] Time Based Evasion – Timing checks were used to detect analysis and debugging (‘measuring the execution time of a 64-iteration dummy loop’).
- [T1021.001 ] Remote Desktop Protocol – Not mentioned; omitted.
- [T1090.001 ] Internal Proxy – The implant attempted proxy fallback by enumerating local proxy settings (‘attempts to route traffic through them’).
- [T1071.001 ] Web Protocols – MINIRECON used WebSocket over HTTPS for C2 (‘establishes a WebSocket connection over HTTPS’).
- [T1102.001 ] Web Service – ZOHOMURK abused Zoho WorkDrive and Zoho OAuth services for C2 and exfiltration (‘leverages Zoho WorkDrive for command-and-control’).
- [T1056.001 ] Keylogging – Not mentioned; omitted.
- [T1016 ] System Network Configuration Discovery – The implant retrieved public IP/hostname details and enumerated proxy settings (‘retrieved from IPInfo’, ‘enumerates locally configured proxy settings’).
- [T1082 ] System Information Discovery – Victim enumeration included hostname and public IP collection (‘combining the hostname… with the system’s public IP address’).
- [T1219 ] Remote Access Software – Not mentioned; omitted.
Indicators of Compromise
- [SHA256 ] Archive and malware sample hashes – cd9397797216fd4c08df324937509124e57258328c8e4c6d795c6a2cd25b69b0, 5f22ec5c14dfd47c92850a5fb3bd8e3754d538b8021b6238238e4020336cfb5c
- [SHA256 ] Additional sample hashes – F53fd0626404a129dcddb8ee7589387dd7bda7999814e0df46c670af6b3da5f5, F2bed071676feb831ed460489643fd57f6c6c1e0d024a1ea447820276fb13828
- [Domain ] C2 and infrastructure – couldinstallup[.]com
- [IP address ] C2 hosting infrastructure – 188.208.141.177, and related subnet reference 188.208.141.196
- [File names ] Lure and payload files – Hydropower Cooperation Project Proposal.zip, MOU USI-INDSR TAIWAN.zip
- [File names ] Dropped or loaded binaries – Project Proposal.exe, MediumInstStart.exe, SolidPDFCreator.dll, pcl2bmp.exe, ctxmui.dll, readata.dat
- [Registry keys ] Persistence locations – HKCUSoftwareMicrosoftWindowsCurrentVersionRunMediumNetMonIt, HKCUSoftwareMicrosoftWindowsCurrentVersionRunMicrosoftEdgeUpdateBrokerTask, HKCUSoftwareMicrosoftWindowsCurrentVersionRunZohoUsingUpdataAnyssAll_RunOnece
- [Scheduled task ] Persistence task – SolidPDFPcl2Bmp, trigger Pcl2BmpDailyTrigger, repetition PT5M
- [Mutex / named event ] Anti-analysis and coordination artifacts – uydgcfteionxcfd, LocalMS_Edge_Update_Task_Service_Sync, ZohoUsingUpdataAnyssAll_event
- [Paths ] Staging and execution directories – C:ProgramDataIDMlogs, C:ProgramDataCitrix, C:UsersPublicDocuments, %LOCALAPPDATA%MicrosoftVaultCache, %LOCALAPPDATA%ZohoUsing
- [URLs / API endpoints ] Zoho and IP lookup services – accounts[.]zoho[.]com/oauth/v2/token, workdrive[.]zoho[.]com/api/v1/files/{folder_id}/files, www[.]zohoapis[.]com/workdrive/api/v1/files, http[:]//ipinfo[.]io/ip
- [User-Agent strings ] Network fingerprinting – Zoho Client/1.0, Zoho API C-Client/1.0, Zoho API Client/1.0, Zoho-C-Uploader/2.0, IPFetcher/1.0
Read more: https://www.acronis.com/en/tru/posts/mustang-panda-targets-indias-government-and-energy-sectors/