Overview
The China-aligned advanced persistent threat (APT) group Mustang Panda has launched a new cyber espionage campaign targeting Indian government organizations and the country’s hydropower sector. The latest operation demonstrates the group’s continued evolution, introducing a novel command-and-control (C2) technique that leverages Zoho WorkDrive, a legitimate cloud storage platform, to evade detection and maintain persistent access.
The campaign appears to be focused on intelligence gathering, particularly around India’s strategic hydropower initiatives and its growing defense cooperation with Taiwan.
Attack Highlights
The attackers begin the intrusion by distributing malicious ZIP archives crafted to appear legitimate. These archives contain hidden malicious DLL files that are executed through DLL sideloading techniques, allowing the malware to run under the guise of trusted applications.
Once executed, the malware establishes communication with attacker-controlled infrastructure hosted through Zoho WorkDrive. By abusing a legitimate cloud service for C2 communications, the threat actors reduce the likelihood of their network traffic being flagged by traditional security controls.
The campaign has reportedly targeted systems used by senior government officials and organizations involved in India’s critical infrastructure, indicating a highly selective and intelligence-driven operation.
Why Zoho WorkDrive?
Threat actors are increasingly abusing trusted cloud services to blend malicious activity with normal enterprise traffic. Since Zoho WorkDrive is commonly used for business collaboration and file sharing, security teams may overlook outbound communications associated with the platform.
Using cloud services as C2 infrastructure offers several advantages to attackers:
- Encrypted communication that blends into legitimate traffic.
- Reduced reliance on dedicated attacker-controlled servers.
- Greater resilience against infrastructure takedowns.
- Increased difficulty for defenders attempting to distinguish malicious from legitimate cloud activity.
This trend reflects the broader shift toward “living off trusted services,” where attackers exploit widely used enterprise platforms instead of building their own infrastructure.
Strategic Objectives
The campaign appears to be driven by geopolitical intelligence collection rather than financial gain. Researchers believe the attackers are interested in:
- India’s hydropower development projects.
- Government policy and planning related to critical infrastructure.
- Strategic defense cooperation between India and Taiwan.
- Sensitive information held by senior government officials.
These objectives align with Mustang Panda’s long-standing history of cyber espionage targeting governments, diplomatic entities, and organizations involved in regional security matters.
Detection Opportunities
Organizations should remain alert for indicators commonly associated with this campaign, including:
- ZIP archives received through phishing or spear-phishing emails containing hidden DLL files.
- Execution of signed binaries loading unexpected DLLs from local directories.
- Endpoint processes communicating unexpectedly with Zoho WorkDrive APIs or cloud endpoints.
- Suspicious outbound connections originating from trusted applications.
- Unusual DLL sideloading behavior involving legitimate executables.
Monitoring process ancestry, command-line arguments, and cloud API interactions can significantly improve visibility into these attacks.
Mitigation Recommendations
To reduce the risk posed by campaigns like this, organizations should:
- Monitor for phishing emails using geopolitical or government-themed lures.
- Detect and investigate DLL sideloading involving signed executables.
- Inspect endpoint processes interacting with cloud storage APIs, particularly when access patterns deviate from normal behavior.
- Implement application allowlisting where feasible.
- Strengthen endpoint detection and response (EDR) capabilities to identify anomalous process behavior.
- Conduct regular threat hunting focused on cloud service abuse and living-off-the-land techniques.
- Ensure systems and third-party applications remain fully patched and updated.
Conclusion
Mustang Panda continues to refine its operational tradecraft by combining trusted cloud services with stealthy malware delivery techniques. The abuse of Zoho WorkDrive as a command-and-control channel illustrates how modern espionage groups are increasingly leveraging legitimate enterprise platforms to conceal malicious activity.
As cyber espionage campaigns become more sophisticated, organizations—particularly those operating within government and critical infrastructure sectors—must enhance visibility into cloud service usage, strengthen behavioral detection capabilities, and proactively hunt for signs of DLL sideloading and cloud-based command-and-control activity.
Staying ahead of these evolving tactics requires a layered security approach that combines endpoint monitoring, threat intelligence, and continuous detection engineering to identify malicious behavior before sensitive information is compromised.
NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, Z Plus Security
