Mustang Panda Turns Zoho WorkDrive Into C2 in Twin Campaigns Against Indian Government

Mustang Panda is back inside Indian government networks, and this time the command channel is hiding in plain sight.

Researchers at Acronis Threat Research Unit identified two active campaigns by the China-aligned espionage group, one targeting Indian government offices and a second aimed at hydropower operators. The intrusions reached machines belonging to senior administrative staff. Acronis says coordinated remediation work is underway with affected entities.

Mustang Panda — also tracked as Earth Preta, Bronze President, and TA416 — has been operating since at least 2017. The group's brief is straightforward: long-running intelligence collection against governments, NGOs, and infrastructure operators across South and Southeast Asia, Europe, and increasingly the wider Indo-Pacific. PlugX and Korplug have been its signature tools for years. The new activity shows the operators continuing to iterate.

The twist in the current campaign is the command-and-control plumbing.

Instead of standing up attacker-controlled infrastructure that defenders can blocklist, Mustang Panda is using Zoho WorkDrive — a legitimate enterprise file-sharing service — as the relay between implants and operators. Tasking and exfiltration ride over traffic that looks like routine SaaS usage. For an environment where Zoho services are already in widespread Indian government use, that's not a small detail.

The targeting fits the group's pattern. Hydropower is a sensitive sector for Beijing's regional posture, particularly along contested river systems shared with India. Government administrative staff offer access to internal correspondence, policy drafts, and credentials that pivot deeper.

The campaigns deploy new malware variants alongside refreshed loaders. Acronis describes active compromises rather than residual artifacts, meaning at least some of the access was live at the point of discovery. Initial access vectors observed in prior Mustang Panda operations have leaned on spear-phishing with lure documents themed to diplomatic or regional affairs, and DLL sideloading via signed binaries. The current wave appears consistent with that tradecraft.

No ransom is involved. This is espionage, not extortion — there is no leak site, no payment demand, no public claim. The operational goal is dwell time and quiet collection.

For defenders, the WorkDrive abuse raises a familiar problem. Blocking the service wholesale is rarely viable when it is sanctioned for business use. Detection has to shift toward behavioral signals: anomalous API access patterns from endpoints that have no business reason to talk to WorkDrive programmatically, unusual child processes spawned by office applications, and sideloading of DLLs from non-standard paths.

India's CERT-In has not, at time of writing, published a public advisory tied to the activity. Acronis has indicated indicators of compromise will accompany its technical writeup.

Mustang Panda's pivot to trusted-SaaS C2 is not novel in the wider threat-intel picture — Dropbox, Google Drive, and OneDrive have all been abused similarly. What it confirms is which targets the group considers worth the effort right now. New Delhi is firmly on that list.