Mustang Panda Uses Zoho WorkDrive as Command Channel in Indian Government Attacks

Mustang Panda, a China-aligned espionage group, launched targeted attacks against Indian government agencies and hydropower infrastructure using novel malware and cloud-based command channels. Acronis Threat Research Unit identified active compromises within Indian government networks, including systems belonging to senior administrative staff.

The group exploited Zoho WorkDrive, a legitimate cloud collaboration platform, as a command and control channel. This technique allows attackers to hide malicious traffic within normal cloud service communications, making detection significantly harder for network defenders. By leveraging trusted services, Mustang Panda evaded traditional security monitoring tools focused on suspicious external connections.

The campaign demonstrates escalating sophistication in targeting critical Indian infrastructure. Hydropower facilities represent strategic assets controlling water resources and electricity generation across regions. Compromise of administrative systems suggests the group sought access to policy documents, communications, and operational intelligence related to India's energy sector and governance.

Mustang Panda's use of newly developed malware indicates the group prepared specifically for these operations rather than recycling old tools. Custom malware deployment reduces the risk of detection through signature-based antivirus systems and suggests resources dedicated to long-term intelligence collection.

The attacks underscore a persistent threat pattern. State-aligned groups routinely compromise government networks to gather strategic intelligence, map critical infrastructure vulnerabilities, and maintain persistent access for future operations. India faces particular targeting pressure given its strategic position in Asian geopolitics and energy security importance.

Organizations defending against similar campaigns should monitor cloud service usage patterns, particularly anomalous file access or sharing activities from administrative accounts. Implementing conditional access policies restricting authentication from unusual locations and enforcing multi-factor authentication on sensitive accounts reduces compromise risk. Network segmentation isolates critical systems from general administrative infrastructure.

Indicators of compromise from Acronis analysis enable defenders to hunt for Mustang Panda artifacts within their environments. Tracking malware