Mustang Panda Abuses Zoho WorkDrive to Evade Detection in Espionage Campaign

Researchers have uncovered new cyber espionage campaigns conducted by the China-aligned threat group Mustang Panda, targeting Indian government agencies and the hydropower sector. The attackers abused Zoho WorkDrive as a command-and-control (C2) channel, allowing malicious communications to blend with legitimate cloud storage traffic and making network-based detection significantly more difficult. The campaign also introduced new malware components, including reconnaissance and persistence tools designed to support long-term intelligence collection against government and critical infrastructure targets. The attack chain relies on spear-phishing emails delivering malicious ZIP archives that execute malware through DLL sideloading techniques. Once initial access is established, the malware communicates with attacker-controlled Zoho WorkDrive accounts to download additional payloads, exfiltrate information, and receive commands while masquerading as legitimate enterprise cloud traffic. The use of trusted cloud services reflects a growing trend among advanced persistent threat (APT) groups seeking to bypass traditional perimeter security controls. Organizations should monitor for unusual access to cloud storage platforms, inspect outbound traffic for anomalous WorkDrive activity, restrict execution of unsigned DLLs, and implement application allowlisting where possible. As threat actors increasingly abuse legitimate SaaS platforms for command-and-control operations, behavioural monitoring and threat hunting become essential for detecting sophisticated espionage campaigns.

Share

Related Posts

getty-images-YuyQoigjXGc-unsplash
sufyan-9M4EYcOa1D0-unsplash
mohamed-nohassi-J4nUFYcomFs-unsplash

Copyright © All Right Reserved

Privacy Policy