Mustang Panda Exploits Zoho WorkDrive in Indian Gov Attacks

Michael Miller · 2026-06-29

A Chinese-linked hacking group known as Mustang Panda has been running two separate campaigns targeting the Indian government and hydropower facilities. They're deploying new malware and turning a legitimate cloud service like Zoho WorkDrive into their own command channel. This isn't your typical cyberattack. Instead of building something from scratch, they're using a tool that thousands of businesses trust every day. It's clever, it's sneaky, and it's already working. ### What's Happening Right Now? The Acronis Threat Research Unit found active compromises inside Indian government networks. Some of the machines hit belong to senior administrative staff. That means attackers have direct access to sensitive data and internal communications. Mustang Panda is known for espionage, not ransomware. Their goal is to steal information, not lock systems. And they're getting better at hiding their tracks by using legitimate services that security tools often trust by default. ### How Does Zoho WorkDrive Fit In? Most security systems are trained to flag unusual traffic. But when a hacker uses a real cloud service like Zoho WorkDrive, that traffic looks normal. It blends in with everyday business activity. Here's how it works: - The malware communicates with Zoho WorkDrive's servers instead of a shady command-and-control server - Security tools see encrypted traffic to a trusted domain and let it through - Attackers can upload stolen data, download new instructions, or update malware without raising red flags This technique is called "living off the land" because attackers use what's already there. It's harder to detect and easier to maintain. ### Why Indian Government and Hydropower? India is a major geopolitical player, and its government networks hold valuable intelligence. Hydropower is critical infrastructure. Disrupting it could cause blackouts or even physical damage. Mustang Panda has been active for years, but these latest campaigns show they're evolving. They're not just targeting military or diplomatic offices anymore. They're going after energy and infrastructure, which can have real-world consequences. ### What Can You Do About It? If you're in cybersecurity or managing networks, here's what matters: - Monitor traffic to legitimate cloud services for unusual patterns - Use behavior-based detection instead of just signature-based tools - Train staff to recognize phishing, which is often the first step in these attacks - Keep an eye on Zoho WorkDrive and similar services for unexpected activity ### The Bigger Picture This attack is a reminder that trust is a vulnerability. Just because a service is legitimate doesn't mean it's safe. Attackers are getting smarter about using tools we already rely on. For professionals in the antidetect browser space, this matters because it shows how attackers hide in plain sight. The same techniques that make antidetect browsers useful for privacy can be twisted for espionage. Stay sharp. Stay skeptical. And don't assume that trusted tools are always safe. --- *This article was written by Michael Miller, Lead Antidetect Browser Strategist & Architect. It is based on findings from the Acronis Threat Research Unit.*