China-aligned espionage group Mustang Panda carried out two concurrent intrusion campaigns against Indian government entities and hydropower organizations, compromising systems used by senior administrative staff and seeking intelligence on India’s hydropower planning and defense ties with Taiwan. Researchers said the attacks relied on ZIP-based spear-phishing lures, DLL sideloading through legitimate signed binaries, and a malware chain involving SHARDLOADER, MINIRECON, and ZOHOMURK, with active beaconing observed in mid-June.
The most notable tradecraft involved ZOHOMURK abusing Zoho WorkDrive as a covert command-and-control and data exfiltration channel using hardcoded OAuth credentials. Acronis attributed the activity to Mustang Panda with high confidence based on malware and code overlap, reused infrastructure, sideloading patterns, and the recurring typo RunOnece, and said it coordinated notification and remediation with CERT-In. Defenders were urged to hunt for indicators including couldinstallup[.]com, the scheduled task SolidPDFPcl2Bmp, suspicious Zoho user agents in non-browser processes, and persistence through HKCU Run keys.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
After identifying active compromises in Indian government networks, Acronis Threat Research Unit coordinated notification and remediation efforts with India's CERT-In. The response followed discovery of affected systems used by senior administrative staff.
Acronis Threat Research Unit identified two concurrent cyber-espionage campaigns by Mustang Panda targeting Indian government entities and hydropower organizations. The activity used spear-phishing, DLL sideloading, and the malware families SHARDLOADER, MINIRECON, and ZOHOMURK to collect intelligence related to hydropower planning and India-Taiwan defense ties.
Researchers observed active beaconing from compromised systems during the Mustang Panda operation. The beaconing window explicitly noted in the reporting ran from June 12 to June 22, 2026.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
cybersecuritynews.com
Open sourcethehackernews.com
Open sourceacronis.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.