Mustang Panda uses ZOHOMURK & MINIRECON malware to threaten India’s critical infrastructure

09 Jul 2026
Mustang Panda uses ZOHOMURK & MINIRECON malware to threaten India’s critical infrastructure

SharkStriker’s Threat Intelligence team is monitoring a sophisticated cyber espionage campaign conducted by the China-aligned threat actor Mustang Panda, targeting Indian government organizations and critical infrastructure entities.

 

The campaign introduces two newly identified malware families—ZOHOMURK and MINIRECON—delivered through a custom loader named SHARDLOADER.

 

Through our blog, we will examine them along with threats they pose, and what organizations can do to defend against them.

About the threat 

Threat actor 

About the threat actor 

Campaign type 

Malware families 

Targeted sectors 

Discovery date 

Mustang Panda  

China aligned Advanced Persistent Threat 

Advanced Cyber Espionage Campaign 

  • SHARDLOADER 
  • ZOHOMURK (New) 
  • MINIRECON (New TONESHELL variant) 

 

  • Government Organizations 
  • Critical Infrastructure 
  • Hydropower Sector 
  • Defense & International Cooperation Entities 

 

28 June 2026 

 

 

This campaign demonstrates the growing trend of threat actors abusing legitimate cloud services instead of traditional malware infrastructure.

 

Unlike traditional malware campaigns that rely on dedicated command-and-control (C2) infrastructure, this operation abuses Zoho WorkDrive, a legitimate cloud collaboration platform, to conduct covert command-and-control communications, remote task execution, and data exfiltration. By leveraging trusted cloud services, the attackers significantly reduce the likelihood of detection while blending malicious traffic with normal enterprise activity.

 

The campaign primarily targets organizations associated with India’s hydropower initiatives and government agencies engaged in strategic cooperation with Taiwanese institutions. Based on malware characteristics, infrastructure overlaps, and operational tradecraft, researchers attribute this activity to Mustang Panda with high confidence.

How is the attack orchestrated?

Stage 1: Malware delivery via spear phishing

Attack initiation using highly-targeted spear phishing emails with ZIP archives

 

(Typically, government or infrastructure themed lure documents.)

 

Stage 2: Malware loader deployment

Once executed the malware abuses DLL sideloading via legitimate signed apps to load malicious SHARDLOADER component

 

Stage 3: Malware deployment

SHARDLOADER subsequently decrypts and deploys either the MINIRECON*1 implant or the newly discovered ZOHOMURK*2 malware, depending on the targeted campaign.

 

*1 – MINIRECON establishes encrypted WebSocket-based command-and-control communications over HTTPS while supporting interactive shells, file transfers, and remote command execution.

 

*2 – ZOHOMURK takes a different approach by authenticating to attacker-controlled Zoho WorkDrive accounts using embedded OAuth credentials. It creates dedicated folders for each infected system, periodically polls for commands, uploads stolen data, and maintains persistence using Windows Run Registry Keys and scheduled tasks.

 

If successfully executed, attackers may achieve:

  • Unauthorized access to government and enterprise environments
  • Long-term cyber espionage operations
  • Theft of confidential government documents
  • Data exfiltration through trusted cloud services
  • Remote command execution
  • Credential theft
  • Lateral movement across enterprise networks
  • Persistent access using stealthy techniques
  • Evasion of conventional security monitoring
  • Intelligence collection against critical infrastructure
  • Industries at Highest Risk

SharkStriker’s recommendations

Organizations operating within the following sectors should remain particularly vigilant:

 

  • Government agencies
  • Critical infrastructure
  • Energy and utilities
  • Hydropower organizations
  • Defense contractors
  • Public sector institutions
  • Organizations involved in international strategic partnerships
  • Research organizations handling sensitive government information
  • Indicators of Suspicious Activity

 

Monitor for:

  • Endpoint Indicators
  • Execution of legitimate applications loading unexpected DLLs
  • DLL sideloading involving SolidPDFCreator.dll or ctxmui.dll
  • Creation of unusual scheduled tasks
  • Registry Run Key persistence
  • Hidden staging directories within ProgramData
  • Unexpected execution from Public or AppData directories
  • Abuse of EnumSystemLocalesA for shellcode execution
  • Network Indicators
  • Unexpected communication with Zoho WorkDrive APIs from non-browser processes
  • OAuth authentication requests to Zoho services initiated by unknown executables
  • HTTPS WebSocket traffic originating from suspicious processes

 

Traffic using uncommon User-Agents such as:

  • Zoho Client/1.0
  • Zoho API Client/1.0
  • Zoho API C-Client/1.0
  • Zoho-C-Uploader/2.0
  • IPFetcher/1.0

 

Connections to known attacker-controlled infrastructure including:

  • couldinstallup[.]com
  • Educate users about spear-phishing campaigns using government-themed documents
  • Monitor for DLL sideloading involving turseted signed applications
  • Restrict execution from temporary, public, and user-writable directories.
  • Inspect outbound communications to cloud collaboration platforms originating from non-browser processes.
  • Enable Endpoint Detection and Response (EDR) telemetry capable of detecting in-memory execution techniques.
  • Monitor Windows Scheduled Tasks and Registry Run Keys for unauthorized persistence.
    Apply application allowlisting where feasible.
  • Continuously review authentication logs and privileged account activity.
  • Conduct proactive threat hunting for indicators associated with Mustang Panda campaigns.
  • Strengthen phishing protection through email filtering and user awareness training.

SharkStriker’s actions

Our Threat Intelligence team has:

  • Validated the threat research and campaign details.
  • Assessed the potential impact on customer environments.
  • Reviewed attacker tactics, techniques, and procedures (TTPs).
  • Initiated proactive threat hunting for relevant indicators across monitored environments.
  • Shared intelligence with internal security teams for detection engineering.
  • Prepared this advisory to help customers strengthen their defensive posture against this evolving espionage campaign.

Get in Touch With us

We have explored what risk tolerance and risk appetite are and how important they are together in helping businesses align cybersecurity with their business goals. It can help CISOs, and C-suite make informed investment decisions for cybersecurity.

LEARN MORE