Espionage crews stopped building exotic C2 infrastructure years ago. The new playbook, on display this week in India, is simpler and meaner: log into a SaaS account your target already trusts, and use its inbox as a dead drop. Mustang Panda just did exactly that with Zoho WorkDrive β and it worked long enough to sit on machines belonging to senior Indian government administrators.
How Mustang Panda Turned Zoho WorkDrive Into a C2 Channel
According to the Acronis Threat Research Unit, the China-aligned group is running two parallel campaigns against the Indian government and hydropower sector, with active beaconing observed from June 12 to June 22, 2026. The novel piece of the kit, ZOHOMURK, carries hardcoded Zoho OAuth credentials and drives an attacker-controlled WorkDrive account as a dead drop β reading tasking from an inbox folder, writing exfiltrated data to an outbox.
Why this matters: there is no rogue domain to block, no exotic protocol to flag on the perimeter. Zoho WorkDrive is, per Acronis, common in Indiaβs government sector, so the malicious traffic blends into the same TLS sessions employees generate all day. Network defenders who rely on domain reputation or geolocation get nothing to chew on.
If youβre running a SOC for a ministry, a utility, or any regulated org that has standardized on a single cloud suite, this means your detection model has to shift. Authenticating to a sanctioned SaaS is no longer a green light β itβs the new attack surface. Expect more crews to follow Mustang Panda into Google Drive, Microsoft Graph, Dropbox, and Box for the same reason: cloud APIs look like business as usual.
Why Sideloading Through Signed Binaries Still Works in 2026
The initial foothold is depressingly familiar. Both campaigns arrive as ZIP archives containing a hidden malicious DLL, paired with a legitimately signed binary β a Solid PDF Creator executable in one campaign, a Citrix Receiver binary in the other. The loader Acronis calls SHARDLOADER uses classic DLL sideloading to bring up one of two implants: MINIRECON, a reworked Toneshell variant that beacons over WebSocket on HTTPS, or ZOHOMURK itself.
The lures are tailored: a hydropower cooperation proposal for the energy targets, a memorandum of understanding between Indian and Taiwanese institutions for the diplomatic ones. Acronis assesses with high confidence that the goal is intelligence on Indiaβs hydropower plans and its defense ties with Taiwan.
The practical lesson for engineering teams: code-signing is a trust signal about the publisher, not about how the binary is being used. If your EDR allowlists processes by signature, a signed Solid PDF Creator executable launched from a userβs Downloads folder with a sibling DLL is exactly the path attackers will keep choosing. For organizations modernizing infrastructure across regulated industries β think healthcare records platforms or supply chain traceability systems β application allowlisting needs to consider parent process, load path, and DLL provenance, not just the signing cert.
What the OPSEC Failures Reveal About the Operator
Acronis attributes the activity to Mustang Panda based on a stack of overlaps: the reused Solid PDF Creator sideloading chain, code overlap with Toneshell (previously documented by IBM X-Force), command servers in the same network block as known group infrastructure, and a recurring typo β RunOnece β carried across multiple implants. Add hardcoded OAuth tokens, plaintext identifiers, and reused infrastructure, and the picture is of an operator under pressure to ship, not to hide.
That sloppiness is good news for hunters and bad news for the future. Hardcoded Zoho credentials mean defenders can pivot from one sample to the attacker-controlled account and burn the entire campaign. But it also tells you the group is moving fast enough that polish is optional β and the next iteration will almost certainly rotate to per-victim OAuth tokens fetched at runtime.
If youβre building detections today, the artifacts Acronis published are concrete: persistence via Run keys, a scheduled task named SolidPDFPcl2Bmp, the C2 domain couldinstallup[.]com, and Zoho user agents appearing on non-browser processes. That last one is the durable signal. A Solid PDF Creator process making API.zohoapis.com calls has no business reason to do so, ever.
The Broader Pattern of Cloud-Native Espionage Against India
This is not a one-off. In April, Acronis tied the same groupβs LOTUSLITE backdoor to attacks on Indiaβs banking sector and South Korean policy circles, also staged through a legitimate cloud service. The China-linked interest in Indiaβs power grid goes back to the 2021 RedEcho campaign, which Recorded Future documented as targeting the countryβs electricity grid with ShadowPad.
Hydropower is contested territory along disputed borders, and Taiwan-India defense conversations are exactly the kind of signal Beijing wants ground truth on. Acronis worked with CERT-In on notification and cleanup, which suggests the compromises were not narrow.
Critical infrastructure operators outside India face the same exposure. Any organization handling cross-border deals likely to interest a major state actor should treat geopolitically themed attachments as a primary threat vector, and treat their SaaS audit logs as a primary detection surface. The distinction between an immutable audit trail and a mutable database becomes operationally meaningful when an attacker with OAuth tokens can quietly purge their tracks from a SaaS activity log.
Prediction: SaaS OAuth Abuse Becomes the Default C2 by 2027
Here is the call: within 18 months, OAuth-token-driven C2 over sanctioned SaaS will be the dominant tradecraft for state-aligned espionage groups targeting government and enterprise networks. Custom C2 domains will become the exception, reserved for stages where the attacker needs bandwidth or low latency. The economics are too good β every blue team that has spent a decade building DNS and network detection has to start over on identity and SaaS telemetry.
FAQ
Q: What is Mustang Panda? A: Mustang Panda is a China-aligned cyber espionage group tracked by MITRE ATT&CK as G0129. It has a long history of targeting government, NGO, and critical infrastructure organizations across Asia, and is known for spear-phishing with geopolitically themed lures and DLL sideloading through legitimately signed binaries.
Q: How does ZOHOMURK use Zoho WorkDrive for command and control? A: ZOHOMURK ships with hardcoded Zoho OAuth credentials that authenticate it to an attacker-controlled WorkDrive account. The implant polls a designated inbox folder for commands the operator drops there, executes them on the victim host, and writes the output back to an outbox folder for retrieval β using only standard Zoho API traffic that blends with legitimate cloud activity.
Q: What should defenders look for? A: Per Acronis, hunt for the scheduled task SolidPDFPcl2Bmp, persistence under Run keys, beacons to couldinstallup[.]com, and β most importantly β Zoho-flavored user agents originating from non-browser processes such as Solid PDF Creator or Citrix Receiver binaries. Any signed-application process initiating cloud API calls outside its documented behavior should trigger an alert.
Key Takeaways
- Treat sanctioned SaaS API traffic as a detection surface, not a trust zone β domain-based blocking wonβt catch OAuth-driven dead drops
- Audit which signed binaries on your fleet are vulnerable to DLL sideloading from sibling directories and tighten parent-process expectations in your EDR rules
- Organizations operating in sectors of geopolitical interest should hunt for geopolitically themed ZIP attachments and unusual SaaS authentications during diplomatic news cycles
- Build SaaS-native detections: alert when non-browser processes generate Zoho, Google, or Microsoft Graph user agents, regardless of how legitimate the destination looks
- Expect copycats β the Mustang Panda playbook of hardcoded OAuth tokens against a targetβs preferred cloud suite will be reused by other state-aligned crews within the next year