India's government and energy sectors targeted with ZOHOMURK and MINIRECON
Mustang Panda orchestrated two concurrent espionage campaigns targeting Indian government entities and hydropower infrastructure between May and June 2026. The campaigns leveraged DLL sideloading via legitimate executables to deploy newly identified malware including SHARDLOADER, MINIRECON, and ZOHOMURK. MINIRECON represents an evolution of Toneshell with WebSocket-based command-and-control capabilities, while ZOHOMURK abuses Zoho WorkDrive cloud services for C2 communications and data exfiltration. Distribution occurred through spear-phishing with lures themed around India-Taiwan cooperation agreements and hydropower projects. The activity demonstrates code overlaps with previous tooling, infrastructure proximity to known operations, and targeting patterns aligned with Chinese strategic intelligence collection priorities. Multiple compromised government systems were identified, with coordination conducted through CERT-In for victim notification and remediation.
AI Analysis
Technical Summary
Mustang Panda orchestrated two concurrent espionage campaigns targeting Indian government and energy sectors in mid-2026. The campaigns leveraged DLL sideloading through legitimate executables to deploy newly identified malware including SHARDLOADER, MINIRECON (an evolution of Toneshell with WebSocket C2), and ZOHOMURK (which abuses Zoho WorkDrive cloud services for command-and-control and data exfiltration). Spear-phishing emails themed around India-Taiwan cooperation agreements and hydropower projects were used for initial access. The activity shows code overlaps with previous Mustang Panda tooling and infrastructure, aligning with Chinese strategic intelligence priorities. Multiple compromised government systems were identified, and CERT-In coordinated victim notification and remediation efforts.
Potential Impact
The campaigns resulted in the compromise of multiple Indian government systems and hydropower infrastructure, enabling espionage through data exfiltration and persistent command-and-control channels. The use of cloud services for C2 and advanced DLL sideloading techniques increases stealth and complicates detection. The targeting aligns with strategic intelligence collection priorities, potentially exposing sensitive government and critical infrastructure information.
Mitigation Recommendations
No official patch or fix is available as this is an espionage campaign using malware rather than a software vulnerability. Remediation efforts are coordinated through CERT-In for affected Indian government entities. Organizations should focus on detecting and blocking spear-phishing attempts, monitoring for DLL sideloading behaviors, and identifying suspicious use of Zoho WorkDrive and WebSocket communications. Review and apply guidance from CERT-In and relevant security advisories for incident response and recovery.
Affected Countries
British Indian Ocean Territory, India
Indicators of Compromise
- hash: c04c947efdfdd9ce24617903b6746a83
- hash: 43d646eda4166261eb1433c7599bf5cc9129a4f1
- hash: fcf4efa82d477c924d42cc6b71aa672ab2381ca256769925ae34dabe2e77e025
- hash: 390148f5157c0f6b337ff19d162c3c2ee3e6d782fdfbe11fb1e411c0684fd33b
- hash: f53fd0626404a129dcddb8ee7589387dd7bda7999814e0df46c670af6b3da5f5
- domain: couldinstallup.com
- hash: 8aeba3c711eaa0116807c66390284dfa572d2cc7
- hash: b267acd1b7c15b18178ae9fd4974f3f4
- hash: 7e7b30071565773d480578537ee3b0e6
- hash: bca1e295acaacbb19c7e3a7868746f6b772b7b71
- hash: 5f22ec5c14dfd47c92850a5fb3bd8e3754d538b8021b6238238e4020336cfb5c
- hash: a43084f5af861f44c75c5273c779cb26d506cab6b51c33746626da504148a4ec
- hash: cd9397797216fd4c08df324937509124e57258328c8e4c6d795c6a2cd25b69b0
- hash: ebd533de7ca16daa70093b0b1084fb6136b6ba091d6ee0e4199762581e1b2e5a
- hash: f2bed071676feb831ed460489643fd57f6c6c1e0d024a1ea447820276fb13828
- url: http://www.zohoapis.com/workdrive/api/v1/files
- domain: www.zohoapis.com
India's government and energy sectors targeted with ZOHOMURK and MINIRECON
Description
Mustang Panda orchestrated two concurrent espionage campaigns targeting Indian government entities and hydropower infrastructure between May and June 2026. The campaigns leveraged DLL sideloading via legitimate executables to deploy newly identified malware including SHARDLOADER, MINIRECON, and ZOHOMURK. MINIRECON represents an evolution of Toneshell with WebSocket-based command-and-control capabilities, while ZOHOMURK abuses Zoho WorkDrive cloud services for C2 communications and data exfiltration. Distribution occurred through spear-phishing with lures themed around India-Taiwan cooperation agreements and hydropower projects. The activity demonstrates code overlaps with previous tooling, infrastructure proximity to known operations, and targeting patterns aligned with Chinese strategic intelligence collection priorities. Multiple compromised government systems were identified, with coordination conducted through CERT-In for victim notification and remediation.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Mustang Panda orchestrated two concurrent espionage campaigns targeting Indian government and energy sectors in mid-2026. The campaigns leveraged DLL sideloading through legitimate executables to deploy newly identified malware including SHARDLOADER, MINIRECON (an evolution of Toneshell with WebSocket C2), and ZOHOMURK (which abuses Zoho WorkDrive cloud services for command-and-control and data exfiltration). Spear-phishing emails themed around India-Taiwan cooperation agreements and hydropower projects were used for initial access. The activity shows code overlaps with previous Mustang Panda tooling and infrastructure, aligning with Chinese strategic intelligence priorities. Multiple compromised government systems were identified, and CERT-In coordinated victim notification and remediation efforts.
Potential Impact
The campaigns resulted in the compromise of multiple Indian government systems and hydropower infrastructure, enabling espionage through data exfiltration and persistent command-and-control channels. The use of cloud services for C2 and advanced DLL sideloading techniques increases stealth and complicates detection. The targeting aligns with strategic intelligence collection priorities, potentially exposing sensitive government and critical infrastructure information.
Mitigation Recommendations
No official patch or fix is available as this is an espionage campaign using malware rather than a software vulnerability. Remediation efforts are coordinated through CERT-In for affected Indian government entities. Organizations should focus on detecting and blocking spear-phishing attempts, monitoring for DLL sideloading behaviors, and identifying suspicious use of Zoho WorkDrive and WebSocket communications. Review and apply guidance from CERT-In and relevant security advisories for incident response and recovery.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.acronis.com/en/tru/posts/mustang-panda-targets-indias-government-and-energy-sectors/"]
- Adversary
- MUSTANG PANDA
- Pulse Id
- 6a42d4a95543681c96ad0e57
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hashc04c947efdfdd9ce24617903b6746a83 | — | |
hash43d646eda4166261eb1433c7599bf5cc9129a4f1 | — | |
hashfcf4efa82d477c924d42cc6b71aa672ab2381ca256769925ae34dabe2e77e025 | — | |
hash390148f5157c0f6b337ff19d162c3c2ee3e6d782fdfbe11fb1e411c0684fd33b | — | |
hashf53fd0626404a129dcddb8ee7589387dd7bda7999814e0df46c670af6b3da5f5 | — | |
hash8aeba3c711eaa0116807c66390284dfa572d2cc7 | — | |
hashb267acd1b7c15b18178ae9fd4974f3f4 | — | |
hash7e7b30071565773d480578537ee3b0e6 | — | |
hashbca1e295acaacbb19c7e3a7868746f6b772b7b71 | — | |
hash5f22ec5c14dfd47c92850a5fb3bd8e3754d538b8021b6238238e4020336cfb5c | — | |
hasha43084f5af861f44c75c5273c779cb26d506cab6b51c33746626da504148a4ec | — | |
hashcd9397797216fd4c08df324937509124e57258328c8e4c6d795c6a2cd25b69b0 | — | |
hashebd533de7ca16daa70093b0b1084fb6136b6ba091d6ee0e4199762581e1b2e5a | — | |
hashf2bed071676feb831ed460489643fd57f6c6c1e0d024a1ea447820276fb13828 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domaincouldinstallup.com | — | |
domainwww.zohoapis.com | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://www.zohoapis.com/workdrive/api/v1/files | — |
Threat ID: 6a43cd7127e9c79719e71897
Added to database: 06/30/2026, 14:06:41 UTC
Last enriched: 06/30/2026, 14:22:17 UTC
Last updated: 07/01/2026, 00:45:17 UTC
Views: 18
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.