Acronis Threat Research Unit (TRU) discovered two cyber espionage campaigns believed to have been orchestrated by the China-linked hacking group known as Mustang Panda. The attacks targeted India's government and hydropower sector with phishing emails containing ZIP files with hidden malicious software.
The campaigns leveraged a new malware toolkit that includes SHARDLOADER, MINIRECON, and ZOHOMURK. SHARDLOADER acts as the first-stage loader, installing either the MINIRECON backdoor based on the TONESHELL malware family, or a new tool called ZOHOMURK that uses Zoho WorkDrive as a command-and-control server.
ZOHOMURK hides malicious activity inside Zoho WorkDrive, allowing hackers to send commands, steal data, and receive results through a legitimate cloud service. Since Zoho WorkDrive is widely used by government organizations in India, the malicious traffic can blend in with normal network activity.
Researchers believe the campaigns were aimed at gathering intelligence on India's hydropower projects and government organizations involved in cooperation agreements with Taiwan.
“The campaigns examined in this report demonstrate Mustang Panda's continued investment in expanding its malware arsenal and operational infrastructure while targeting sectors aligned with China's strategic interests. The introduction of ZOHOMURK, which leverages Zoho WorkDrive for command-and-control and data exfiltration, alongside the WebSocket-enabled MINIRECON implant, reflects an effort to blend malicious activity with legitimate services commonly used across enterprise environments,” the report concludes.