Mustang Panda Targets Indian Government with Zoho WorkDrive Malware

The China-aligned espionage group Mustang Panda is running two campaigns targeting the Indian government and hydropower sectors, deploying new malware that leverages legitimate cloud services for command and control. Acronis Threat Research Unit identified active compromises within Indian government networks, including machines used by senior administrative staff.

These attacks represent an ongoing threat to critical infrastructure and government operations. The use of Zoho WorkDrive as a command channel allows the group to blend malicious traffic with legitimate cloud activity, making detection more difficult for network defenders. Active exploitation indicates the group is persistent and operationally active.

Technical analysis reveals that the malware communicates with attacker-controlled directories on Zoho WorkDrive, using the service's API to receive commands and exfiltrate data. This approach bypasses traditional network security controls that often allow traffic to trusted cloud providers. Indicators of compromise include unusual API calls to WorkDrive from internal hosts and anomalous file upload patterns.

Organizations using Zoho WorkDrive should monitor for unexpected API activity and review file access logs for signs of compromise. Network segmentation and endpoint detection controls should be reinforced. No official patch is applicable as this is an abuse of a legitimate service, but enhanced monitoring and access restrictions can mitigate risk.

Mustang Panda, also tracked as TA416 and Bronze President, has historically targeted government and diplomatic entities across Southeast Asia and Europe. This campaign underscores the group's continued focus on Indian interests and its adaptability in adopting cloud services for espionage.