Full Report
The China-aligned espionage group Mustang Panda is running two campaigns against the Indian government and hydropower targets, deploying new malware and turning a legitimate cloud service into its command channel. Acronis Threat Research Unit found active compromises inside Indian government networks, including machines used by senior administrative staff, and worked with
Analysis Summary
# Threat Actor: Mustang Panda
## Attribution & Identity
* **Name:** Mustang Panda
* **Aliases:** Hive0154 (referenced via IBM X-Force linkage)
* **Associated Groups:** RedEcho (historical overlap in targeting patterns)
* **Origin:** China-aligned espionage group
## Activity Summary
Acronis Threat Research Unit identified active compromises in 2026 involving two distinct campaigns targeting the Indian government and energy sectors. The operations involved the use of new malware variants and the abuse of Zoho WorkDrive as a command-and-control (C2) channel to blend in with legitimate cloud traffic.
## Tactics, Techniques & Procedures
* **Phishing:** Spear-phishing using ZIP archives and geopolitical lures (Hydropower proposals, India-Taiwan relations).
* **DLL Sideloading (T1574.002):** Using legitimately signed binaries (Solid PDF Creator, Citrix Receiver) to load malicious DLLs.
* **Dead Drop Resolver (T1102.001):** Utilizing Zoho WorkDrive as a command channel for tasking and exfiltration.
* **Persistence:** Use of Windows Run keys and Scheduled Tasks.
* **Evasion:** Marking malicious DLLs as "hidden" within ZIP archives and using HTTPS/WebSockets for beacons.
* **Typo-Squatting/Clerical Errors:** Recurring use of the typo "RunOnece" in implants.
## Targeting
* **Sectors:** Government (senior administrative staff), Hydropower, Energy, and Banking.
* **Geography:** Primarily India; secondary mentions of South Korea and Taiwan-related interests.
* **Victims:** Indian government central networks, hydropower sector entities.
## Tools & Infrastructure
* **Malware Families:**
* **SHARDLOADER:** A loader for deploying secondary implants via sideloading.
* **MINIRECON:** A reworked variant of the Toneshell backdoor using WebSockets.
* **ZOHOMURK:** A novel implant that uses hardcoded Zoho OAuth credentials for C2 operations.
* **LOTUSLITE:** A backdoor previously used in banking sector attacks.
* **Infrastructure:**
* **Domains:** couldinstallup[.]com
* **Persistence Mechanisms:** Scheduled task named `SolidPDFPcl2Bmp`.
* **C2 Channel:** Abuse of Zoho WorkDrive API.
## Implications
The campaigns demonstrate a focused effort by Chinese-aligned actors to monitor India’s critical infrastructure and its evolving diplomatic/defense relationships (specifically with Taiwan). The transition to using legitimate localized cloud services (Zoho) indicates a strategic shift toward evading traditional network traffic analysis by mimicking authorized administrative activity.
## Mitigations
* **Endpoint Monitoring:** Monitor for signed binaries (like Citrix or PDF tools) spawning unexpected child processes or making network connections.
* **Cloud API Auditing:** Flag non-browser processes (e.g., system utilities or unexpected executables) attempting to reach Zoho WorkDrive or other cloud storage APIs.
* **Threat Hunting:** Scan for the "RunOnece" registry key string and the `SolidPDFPcl2Bmp` scheduled task.
* **Email Security:** Implement advanced attachment filtering to inspect ZIP files for hidden DLLs.
* **Network Layer:** Block or alert on traffic to known malicious infrastructure such as `couldinstallup[.]com`.