
MUSTANG Panda has been observed using Zoho WorkDrive as a covert command and control channel to spy on Indian government and hydropower sectors, according to the Acronis Threat Research Unit report. The campaign relies on spear‑phishing emails that carry ZIP archives containing SHARDLOADER and ZOHOMURK malware, which abuse legitimate cloud traffic to hide their activity. This shift highlights how threat actors are increasingly abusing trusted SaaS platforms for espionage.
The infection chain begins when a target opens the malicious ZIP, which drops a legitimate‑looking executable that performs DLL sideloading to launch SHARDLOADER. SHARDLOADER then decrypts and executes ZOHOMURK, establishing an encrypted channel that blends with normal HTTPS requests to Zoho WorkDrive endpoints. This technique makes the malicious traffic appear indistinguishable from regular cloud‑service use, complicating detection by network‑based tools.
Acronis noted that the intrusions were active between 12 and 22 June 2026, with compromised hosts identified in several Indian government networks and at least one hydropower facility according to securityonline.info. The malware exports collected data via innocuous‑looking file uploads and download requests to the same WorkDrive domains used by legitimate users. Infrastructure analysis shows the domains reused in this effort have been linked to earlier Mustang Panda operations.
This activity fits a broader pattern where China‑linked espionage groups adopt legitimate SaaS services to evade traditional security controls, a tactic Mustang Panda has previously employed with Google Drive and OneDrive as reported by thehackernews.com. By targeting India’s hydropower sector the attackers appear interested in energy infrastructure and possible geopolitical leverage, reflecting a tactical shift toward cloud‑native command and control.
Defenders should inspect outbound HTTPS traffic to known Zoho WorkDrive domains for abnormal patterns such as frequent small uploads or irregular user‑agent strings, and enforce application control policies that block unsigned DLLs from loading. Employee training on spear‑phishing awareness and disabling automatic execution of archives from unknown senders can reduce the likelihood of initial compromise. Regularly reviewing signed binary inventories helps ensure only trusted executables are permitted to run.
Deploying behavioural analytics that flag deviations from normal cloud‑service usage, such as atypical timing or volume of WorkDrive API calls, can provide an additional layer of detection. Sharing indicators of compromise with trusted ISACs and updating threat‑intelligence feeds with the observed domains and file hashes will help prevent reuse of this infrastructure in future operations.