The China-aligned advanced persistent threat (APT) group Mustang Panda has launched a new cyber espionage campaign targeting Indian government organizations and the country’s hydropower sector.
The latest operation demonstrates the group’s continued evolution, introducing a novel command-and-control (C2) technique that leverages Zoho WorkDrive, a legitimate cloud storage platform, to evade detection and maintain persistent access. The campaign appears to be focused on intelligence gathering, particularly around India’s strategic hydropower initiatives and its growing defense cooperation with Taiwan.
Attack Highlights
The attackers begin the intrusion by distributing malicious ZIP archives crafted to appear legitimate. These archives contain hidden malicious DLL files that are executed through DLL sideloading techniques, allowing the malware to run under the guise of trusted applications.
Once executed, the malware establishes communication with attacker-controlled infrastructure hosted through Zoho WorkDrive. By abusing a legitimate cloud service for C2 communications, the threat actors reduce the likelihood of their network traffic being flagged by traditional security controls.
The campaign has reportedly targeted systems used by senior government officials and organizations involved in India’s critical infrastructure, indicating a highly selective and intelligence-driven operation.
Why Zoho WorkDrive?
Threat actors are increasingly abusing trusted cloud services to blend malicious activity with normal enterprise traffic. Since Zoho WorkDrive is commonly used for business collaboration and file sharing, security teams may overlook outbound communications associated with the platform.
Using cloud services as C2 infrastructure offers several advantages to attackers:
- Encrypted communication that blends into legitimate traffic.
- Reduced reliance on dedicated attacker-controlled servers.
- Greater resilience against infrastructure takedowns.
- Increased difficulty for defenders attempting to distinguish malicious from legitimate cloud activity.
This trend reflects the broader shift toward “living off trusted services,” where attackers exploit widely used enterprise platforms instead of building their own infrastructure.
Strategic Objectives
The campaign appears to be driven by geopolitical intelligence collection rather than financial gain. Researchers believe the attackers are interested in:
- India’s hydropower development projects.
- Government policy and planning related to critical infrastructure.
- Strategic defense cooperation between India and Taiwan.
- Sensitive information held by senior government officials.
These objectives align with Mustang Panda’s long-standing history of cyber espionage targeting governments, diplomatic entities, and organizations involved in regional security matters.
Detection Opportunities
Organizations should remain alert for indicators commonly associated with this campaign, including:
- ZIP archives received through phishing or spear-phishing emails containing hidden DLL files.
- Execution of signed binaries loading unexpected DLLs from local directories.
- Endpoint processes communicating unexpectedly with Zoho WorkDrive APIs or cloud endpoints.
- Suspicious outbound connections originating from trusted applications.
- Unusual DLL sideloading behavior involving legitimate executables.
Monitoring process ancestry, command-line arguments, and cloud API interactions can significantly improve visibility into these attacks.
Mitigation Recommendations
To reduce the risk posed by campaigns like this, organizations should:
- Monitor for phishing emails using geopolitical or government-themed lures.
- Detect and investigate DLL sideloading involving signed executables.
- Inspect endpoint processes interacting with cloud storage APIs, particularly when access patterns deviate from normal behavior.
- Implement application allowlisting where feasible.
- Strengthen endpoint detection and response (EDR) capabilities to identify anomalous process behavior.
- Conduct regular threat hunting focused on cloud service abuse and living-off-the-land techniques.
- Ensure systems and third-party applications remain fully patched and updated.
Related IOCs:
File Names:
OCefSubprocess.exe
OCefClient.dll
OCefClient.dll
OCefClient.dll
vmwarebase.dll
Abrir arquivo.exe
libfabric.dll
OCefClient.dll
2View Details.exe
555.exe
Visualizar.exe
Check.exe
OCefClient.dll
OCefClient.dll
OCefClient.dll
OCefClient.dll
SHA256:
58322e445aa9ae532055b117393e28ff38a114a97f42acd91ba8c1cdaea0ca3a
9a23e7a15c2dd81e5b022d2f622147684cd69b11d5365a5bc6ef65daed60b23d
ca2bd99428879711ecb36e36b4d5e974c99f022346ed36e250b63420e50fdeca
7d8a8303fa76e62f989d5191b32f6139edb00a6df259178e6f12db2b295fc35e
1f582363c60fd70278a56db114288b74704c8d1a6eb7996eba6c1d114165f6d3
badeaddc24c51c3008aaba3b30a8bb4014c73367db608a011345364b04f76277
5d9e941c834786cfb7260a09388f860658bb73a1229ffaf6cde9e48fa94568c2
3d51d5f8f2dfc701ffdfb6bb560d545058a8be9c46c655b40c375cb9b6da3ee4
f86af8533ca52c206ef1411e84a2b9c15b272e422c3b62a234ca0829b87a6fe8
58322e445aa9ae532055b117393e28ff38a114a97f42acd91ba8c1cdaea0ca3a
badeaddc24c51c3008aaba3b30a8bb4014c73367db608a011345364b04f76277
5D695D8A0BB1D919CC77A2AA2488A61797BFA065238160278EE458120630AAF9
276f10f1e5438ad9ef7ad252a71e762c01cf95b7d477c093c02d1993bc61160f
844863fdaa350c19412fd735e8345c460a8bbe3a1e4dafe5fc17209928db440f
9858f6cef09c4b5a355cc6d56df3bd6a9359f83caae7adf5404fb793f4f24520
004acae56550d201d14e9df4f5248a581937b6e43da85b1f2b04fe77c8be7d41
Ip’s:
142.251.155.119
142.250.217.110
142.250.177.238
142.250.177.238
142.250.113.84
142.250.189.131
142.251.210.202
194.5.97.169
194.5.97.169
142.251.34.238
173.194.206.188
Conclusion
Mustang Panda continues to refine its operational tradecraft by combining trusted cloud services with stealthy malware delivery techniques. The abuse of Zoho WorkDrive as a command-and-control channel illustrates how modern espionage groups are increasingly leveraging legitimate enterprise platforms to conceal malicious activity.
As cyber espionage campaigns become more sophisticated, organizations—particularly those operating within government and critical infrastructure sectors—must enhance visibility into cloud service usage, strengthen behavioral detection capabilities, and proactively hunt for signs of DLL sideloading and cloud-based command-and-control activity.
Staying ahead of these evolving tactics requires a layered security approach that combines endpoint monitoring, threat intelligence, and continuous detection engineering to identify malicious behavior before sensitive information is compromised.
NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, Z Plus Security
