ACRONIS Threat Research Unit uncovered two espionage campaigns by Mustang Panda, targeting Indian government and hydropower sectors using Zoho WorkDrive for command and control (C2). These campaigns involved spear-phishing attacks with ZIP archives containing malicious DLLs, aimed to extract intelligence on India's hydropower initiatives and defense ties with Taiwan.
The malware, including SHARDLOADER and ZOHOMURK, employed DLL sideloading techniques and disguised malicious behavior within normal cloud traffic, making detection difficult. Active compromises were detected in government networks from June 12-22, 2026, with these cyber activities linked to previous campaigns attributed to the group.