Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

India's government and energy sectors targeted with ZOHOMURK and MINIRECON

0
Medium
Published: 06/29/2026 (06/29/2026, 20:25:13 UTC)
Source: AlienVault OTX General

Description

Mustang Panda orchestrated two concurrent espionage campaigns targeting Indian government entities and hydropower infrastructure between May and June 2026. The campaigns leveraged DLL sideloading via legitimate executables to deploy newly identified malware including SHARDLOADER, MINIRECON, and ZOHOMURK. MINIRECON represents an evolution of Toneshell with WebSocket-based command-and-control capabilities, while ZOHOMURK abuses Zoho WorkDrive cloud services for C2 communications and data exfiltration. Distribution occurred through spear-phishing with lures themed around India-Taiwan cooperation agreements and hydropower projects. The activity demonstrates code overlaps with previous tooling, infrastructure proximity to known operations, and targeting patterns aligned with Chinese strategic intelligence collection priorities. Multiple compromised government systems were identified, with coordination conducted through CERT-In for victim notification and remediation.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 06/30/2026, 14:22:17 UTC

Technical Analysis

Mustang Panda orchestrated two concurrent espionage campaigns targeting Indian government and energy sectors in mid-2026. The campaigns leveraged DLL sideloading through legitimate executables to deploy newly identified malware including SHARDLOADER, MINIRECON (an evolution of Toneshell with WebSocket C2), and ZOHOMURK (which abuses Zoho WorkDrive cloud services for command-and-control and data exfiltration). Spear-phishing emails themed around India-Taiwan cooperation agreements and hydropower projects were used for initial access. The activity shows code overlaps with previous Mustang Panda tooling and infrastructure, aligning with Chinese strategic intelligence priorities. Multiple compromised government systems were identified, and CERT-In coordinated victim notification and remediation efforts.

Potential Impact

The campaigns resulted in the compromise of multiple Indian government systems and hydropower infrastructure, enabling espionage through data exfiltration and persistent command-and-control channels. The use of cloud services for C2 and advanced DLL sideloading techniques increases stealth and complicates detection. The targeting aligns with strategic intelligence collection priorities, potentially exposing sensitive government and critical infrastructure information.

Mitigation Recommendations

No official patch or fix is available as this is an espionage campaign using malware rather than a software vulnerability. Remediation efforts are coordinated through CERT-In for affected Indian government entities. Organizations should focus on detecting and blocking spear-phishing attempts, monitoring for DLL sideloading behaviors, and identifying suspicious use of Zoho WorkDrive and WebSocket communications. Review and apply guidance from CERT-In and relevant security advisories for incident response and recovery.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://www.acronis.com/en/tru/posts/mustang-panda-targets-indias-government-and-energy-sectors/"]
Adversary
MUSTANG PANDA
Pulse Id
6a42d4a95543681c96ad0e57
Threat Score
null

Indicators of Compromise

Hash

ValueDescriptionCopy
hashc04c947efdfdd9ce24617903b6746a83
hash43d646eda4166261eb1433c7599bf5cc9129a4f1
hashfcf4efa82d477c924d42cc6b71aa672ab2381ca256769925ae34dabe2e77e025
hash390148f5157c0f6b337ff19d162c3c2ee3e6d782fdfbe11fb1e411c0684fd33b
hashf53fd0626404a129dcddb8ee7589387dd7bda7999814e0df46c670af6b3da5f5
hash8aeba3c711eaa0116807c66390284dfa572d2cc7
hashb267acd1b7c15b18178ae9fd4974f3f4
hash7e7b30071565773d480578537ee3b0e6
hashbca1e295acaacbb19c7e3a7868746f6b772b7b71
hash5f22ec5c14dfd47c92850a5fb3bd8e3754d538b8021b6238238e4020336cfb5c
hasha43084f5af861f44c75c5273c779cb26d506cab6b51c33746626da504148a4ec
hashcd9397797216fd4c08df324937509124e57258328c8e4c6d795c6a2cd25b69b0
hashebd533de7ca16daa70093b0b1084fb6136b6ba091d6ee0e4199762581e1b2e5a
hashf2bed071676feb831ed460489643fd57f6c6c1e0d024a1ea447820276fb13828

Domain

ValueDescriptionCopy
domaincouldinstallup.com
domainwww.zohoapis.com

Url

ValueDescriptionCopy
urlhttp://www.zohoapis.com/workdrive/api/v1/files

Threat ID: 6a43cd7127e9c79719e71897

Added to database: 06/30/2026, 14:06:41 UTC

Last enriched: 06/30/2026, 14:22:17 UTC

Last updated: 07/01/2026, 00:45:17 UTC

Views: 18

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses