A cyber espionage campaign linked to the China-aligned hacking group Mustang Panda has been found targeting Indian government organizations. Security researchers discovered that the attackers used Zoho WorkDrive, a trusted cloud storage service, as part of their command-and-control infrastructure. By relying on a legitimate cloud platform instead of suspicious servers, the attackers attempted to make their malicious activity blend in with normal network traffic and reduce the chances of being detected by security tools.
According to the researchers, the attack was carefully planned and focused on espionage rather than financial gain. The campaign mainly targeted government-related entities in India that could provide access to valuable information. Mustang Panda, also tracked under names such as Earth Preta, TA416, and RedDelta, has a long history of conducting cyber espionage operations against governments, diplomatic organizations, and strategic sectors across the Asia-Pacific region.
The infection chain started with phishing techniques designed to trick victims into opening malicious files. These files contained components that eventually installed a backdoor on the targeted system. The attackers also relied on DLL sideloading, a technique that abuses legitimate software to secretly load malicious code. Because trusted applications were used during the process, the malware could operate with a lower chance of raising suspicion.
Researchers observed that once the malware was active, it established communication with Zoho WorkDrive instead of connecting directly to attacker-controlled servers. The cloud service acted as a communication channel for sending commands and receiving instructions. Using a well-known business platform allowed the attackers to hide their traffic among normal cloud activity, making the campaign more difficult for defenders to identify.
The malware was designed with features that gave the attackers long-term access to compromised systems. It could execute commands, manage files, collect information from infected devices, and maintain communication with the operators. These capabilities are commonly associated with cyber espionage campaigns where attackers aim to quietly monitor victims and steal sensitive information over an extended period.
Security analysts also noted that this campaign reflects Mustang Panda’s continuous effort to improve its attack methods. Instead of depending only on traditional command-and-control servers, the group is increasingly abusing trusted online services to disguise its operations. This shift makes detection harder because organizations often allow traffic to legitimate cloud platforms as part of their daily business activities.
The researchers believe the campaign is consistent with Mustang Panda’s previous operations targeting government institutions and organizations of strategic importance. Technical analysis, malware behavior, delivery methods, and operational patterns showed similarities with earlier activity linked to the group. While the tools and techniques continue to evolve, the overall objective remains focused on gathering intelligence through stealthy and persistent cyber intrusions.
Experts recommend that organizations strengthen their defenses against phishing attacks, closely monitor unusual cloud service activity, and deploy behavior-based threat detection instead of relying only on signature-based security tools. Regular software updates, employee security awareness training, and continuous monitoring of endpoint activity can also help reduce the risk of similar espionage campaigns targeting government agencies and other high-value organizations.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
