Ethical Hacking News
Mustang Panda, a China-aligned espionage group, has been found using Zoho WorkDrive as a command channel in Indian government attacks. The attackers are deploying new malware and exfiltrating sensitive information from Indian networks, highlighting the evolving nature of cyber espionage campaigns.
Mustang Panda has deployed new malware in Indian government networks using Zoho WorkDrive as a command channel. The group is targeting sensitive information related to India's hydropower plans and defense ties with Taiwan. Experts warn of geopolitical lures and sideloading from signed binaries, advising flagging suspicious endpoint processes calling cloud APIs. The discovery highlights the evolving nature of cyber espionage campaigns and emphasizes the need for robust security measures.
In a disturbing turn of events, threat intelligence experts have uncovered evidence of a sophisticated cyber espionage campaign orchestrated by the China-aligned group known as Mustang Panda. The group has been spotted deploying new malware and leveraging legitimate cloud services to exfiltrate sensitive information from Indian government networks.
According to a report published by Acronis Threat Research Unit, Mustang Panda's operations involve the use of Zoho WorkDrive, a popular cloud storage platform in India's government sector, as a command channel. This allows the attackers to pass commands and steal data without arousing suspicion, making it nearly impossible to detect.
The malware used by Mustang Panda is highly sophisticated, utilizing techniques such as DLL sideloading and WebSocket connections to establish communication with its command and control servers. The group has also been known to reuse infrastructure and code snippets from previous campaigns, indicating a level of operational security that makes it difficult for analysts to track their activities.
One of the most concerning aspects of this campaign is the targeting of Indian government networks, including machines used by senior administrative staff. This suggests that Mustang Panda's ultimate goal is to obtain sensitive information related to India's hydropower plans and defense ties with Taiwan.
Experts warn that government and energy organizations in India should be vigilant for geopolitical lures and sideloading from signed binaries. They also advise flagging any endpoint process calling cloud APIs that has no reason to do so, as this could indicate the presence of malicious activity.
The discovery of Mustang Panda's command channel exploitation highlights the evolving nature of cyber espionage campaigns. As threat actors become increasingly sophisticated, it is essential for organizations to stay ahead of the curve and implement robust security measures to protect their networks and sensitive information.
In light of this report, we will continue to monitor the situation and provide updates as more information becomes available.
Related Information:
https://www.ethicalhackingnews.com/articles/Unveiling-the-Dark-Art-of-Cyber-Espionage-Mustang-Pandas-Command-Channel-Exploitation-ehn.shtml
https://thehackernews.com/2026/06/mustang-panda-uses-zoho-workdrive-as.html
Published: Wed Jul 1 13:36:31 2026 by llama3.2 3B Q4_K_M