Deep Dive: Mustang Panda’s Multi-Stage Espionage Campaigns Against Indian Infrastructure

Recent intelligence from Acronis Threat Response Unit (TRU) has uncovered two highly sophisticated, concurrent espionage campaigns attributed to the threat actor Mustang Panda. These operations specifically target the Indian government and energy sectors, with a surgical focus on hydropower entities and government offices involved in Memorandums of Understanding (MOUs) with Taiwanese institutions. The campaigns utilize geopolitically charged lures and advanced DLL sideloading techniques to deploy a new suite of specialized malware: SHARDLOADER, MINIRECON, and ZOHOMURK.

Payload execution chain for Campaign (Source : TRU).
Payload execution chain for the campaign (Source: TRU).

Technical Analysis of the Infection Vector

The initial access phase relies on spear-phishing archives. These archives contain a combination of a legitimate, digitally signed binary and a hidden, malicious DLL. When a user executes the signed host, it performs a DLL sideloading attack, loading the attacker-controlled library into its memory space. This allows the malware to bypass traditional security perimeter defenses by masquerading as trusted software.

SHARDLOADER: The Deployment Engine

The threat actors are utilizing two distinct versions of the SHARDLOADER stager:

Version 1.0: This variant establishes a hidden staging environment at C:\ProgramData\IDM\logs. It migrates both the host executable and the malicious DLL to this location. The payload itself is highly obfuscated; it is reconstructed at runtime from fragmented constants stored within the .rdata section. Once assembled, the shellcode is decrypted using a rolling XOR and byte-reordering routine. To evade detection, SHARDLOADER executes the payload by abusing the EnumSystemLocalesA callback mechanism, allocating the decrypted code into executable memory.

Version 1.1: This iteration shifts the sideloading target to a signed Citrix binary (pcl2bmp.exe) paired with a malicious DLL named ctxmui.dll, which serves as the ZOHOMURK implant.

Signature details related to the launcher executable (Source : TRU).
Signature details of the launcher executable (Source: TRU).

MINIRECON: Advanced Command and Control

SHARDLOADER v1.0 serves as the delivery vehicle for MINIRECON, an evolution of the known Toneshell malware family. While it retains classic Toneshell behaviors—such as using PEB-walking for API resolution and a specific 13131313 hashing multiplier—it introduces significant upgrades to its communication capabilities.

MINIRECON utilizes WebSocket-over-HTTPS via the WinHTTP library for its Command and Control (C2) traffic. This allows the malware to maintain a persistent, stealthy connection that mimics legitimate web traffic. To ensure robust connectivity in enterprise environments, the implant supports proxy fallback logic and can be configured to ignore certificate validation, allowing it to communicate with self-signed certificates. The implant provides operators with a full suite of capabilities, including dual reverse shells, file transfers, and live remote reconnaissance.

Shellcode decrypting via XOR-Key (Source : TRU).
The shellcode decryption process via XOR-Key (Source: TRU).

ZOHOMURK: Cloud-Native Exfiltration via Zoho WorkDrive

The second campaign introduces ZOHOMURK, a highly innovative implant that leverages legitimate cloud services to bypass network monitoring. Instead of communicating with a traditional C2 server, ZOHOMURK abuses the Zoho WorkDrive API for both command reception and data exfiltration.

The reconstruction of the ZOHOMURK payload is remarkably complex: 69 distinct functions work in tandem to gather 32 hardcoded 16-byte XMM constants from various memory locations, assembling them into a heap region. The implant authenticates to Zoho’s OAuth API using hardcoded credentials, creating dedicated folders (a “main” folder and an “outbox”) for each victim. It polls the WorkDrive environment for new command files, executes them locally, and uploads the results back to the operator’s outbox. To minimize forensic footprints, command files are deleted immediately after consumption.

Attribution and Defensive Strategy

Acronis TRU has attributed these campaigns to Mustang Panda with high confidence. This attribution is based on shared tradecraft, the reuse of Solid PDF Creator as a sideloading host, code overlaps with Toneshell, and recurring infrastructure patterns, including the C2 domain couldinstallup[.]com. Acronis has collaborated with CERT-In to share these findings and mitigate the impact on affected organizations.

Recommended Hunting Queries and Mitigations

  • Process Monitoring: Hunt for unusual processes (like legitimate signed binaries) that invoke EnumSystemLocalesA immediately following RWX memory allocations.
  • Persistence Identification: Monitor for new Run keys or scheduled tasks, specifically those named SolidPDFPcl2Bmp.
  • DLL Sideloading Detection: Watch for suspicious file pairings, such as Project Proposal.exe + SolidPDFCreator.dll or pcl2bmp.exe + ctxmui.dll.
  • Network Behavior: Audit HTTPS traffic directed toward Zoho WorkDrive originating from non-browser processes, and monitor for WebSocket connections to suspicious/unrecognized domains.

Indicators of Compromise (IoCs)

Filename / Description SHA256 Hash
Hydropower Cooperation Project Proposal.zip cd9397797216fd4c08df324937509124e57258328c8e4c6d795c6a2cd25b69b0
SolidPDFCreator.dll Ebd533de7ca16daa70093b0b1084fb6136b6ba091d6ee0e4199762581e1b2e5a
Hydropower Cooperation Project Proposal.exe Fcf4efa82d477c924d42cc6b71aa672ab2381ca256769925ae34dabe2e77e025
test.doc 390148f5157c0f6b337ff19d162c3c2ee3e6d782fdfbe11fb1e411c0684fd33b
ctxmui.dll – ZOHOMURK Variant 1 5f22ec5c14dfd47c92850a5fb3bd8e3754d538b8021b6238238e4020336cfb5c
MOU USI-INDSR TAIWAN.zip F53fd0626404a129dcddb8ee7589387dd7bda7999814e0df46c670af6b3da5f5
SolidPDFCreator.dll (duplicate name) A43084f5af861f44c75c5273c779cb26d506cab6b51c33746626da504148a4ec
ctxmui.dll – ZOHOMURK Variant 2 F2bed071676feb831ed460489643fd57f6c6c1e0d024a1ea447820276fb13828

 

Related Articles

Back to top button