Mustang Panda Exploits Zoho WorkDrive for Indian Government Attacks

The China-aligned espionage group Mustang Panda is currently conducting two distinct campaigns targeting Indian government entities and hydropower infrastructure, employing novel malware and repurposing a legitimate cloud service for command and control operations. Acronis Threat Research Unit identified active compromises within Indian government networks, affecting systems utilized by senior administrative personnel. The threat actors are leveraging Zoho WorkDrive, a legitimate cloud storage and collaboration platform, to exfiltrate data and issue commands to compromised systems. This tactic allows Mustang Panda to blend in with normal network traffic, making detection more challenging for security teams.

One of the newly identified malware strains, dubbed "PupyRAT," is a remote access trojan that enables attackers to gain extensive control over infected machines. This malware facilitates data theft, keylogging, and the execution of arbitrary commands. The group's operational sophistication is further highlighted by their ability to establish persistence and maintain covert communication channels. The use of Zoho WorkDrive as a command and control (C2) infrastructure is a significant development, as it represents a shift towards utilizing Software-as-a-Service (SaaS) platforms for malicious purposes, a trend observed across various advanced persistent threat (APT) groups.

Acronis Threat Research Unit's analysis indicates that Mustang Panda's objectives likely include espionage and intelligence gathering, given the nature of the targeted organizations. The group's consistent targeting of South Asian regions, particularly India, underscores their strategic focus. The researchers also observed the deployment of another custom malware tool, which appears to be designed for reconnaissance and initial access. The ongoing nature of these attacks necessitates heightened vigilance and robust security measures from Indian government agencies and organizations within the energy sector. The findings were shared with relevant authorities to aid in mitigation efforts.