Deep Dive: Mustang Panda’s Multi-Stage Espionage Campaigns Against Indian Infrastructure
Recent intelligence from Acronis Threat Response Unit (TRU) has uncovered two highly sophisticated, concurrent espionage campaigns attributed to the threat actor Mustang Panda. These operations specifically target the Indian government and energy sectors, with a surgical focus on hydropower entities and government offices involved in Memorandums of Understanding (MOUs) with Taiwanese institutions. The campaigns utilize geopolitically charged lures and advanced DLL sideloading techniques to deploy a new suite of specialized malware: SHARDLOADER, MINIRECON, and ZOHOMURK.

Technical Analysis of the Infection Vector
The initial access phase relies on spear-phishing archives. These archives contain a combination of a legitimate, digitally signed binary and a hidden, malicious DLL. When a user executes the signed host, it performs a DLL sideloading attack, loading the attacker-controlled library into its memory space. This allows the malware to bypass traditional security perimeter defenses by masquerading as trusted software.
SHARDLOADER: The Deployment Engine
The threat actors are utilizing two distinct versions of the SHARDLOADER stager:
Version 1.0: This variant establishes a hidden staging environment at C:\ProgramData\IDM\logs. It migrates both the host executable and the malicious DLL to this location. The payload itself is highly obfuscated; it is reconstructed at runtime from fragmented constants stored within the .rdata section. Once assembled, the shellcode is decrypted using a rolling XOR and byte-reordering routine. To evade detection, SHARDLOADER executes the payload by abusing the EnumSystemLocalesA callback mechanism, allocating the decrypted code into executable memory.
Version 1.1: This iteration shifts the sideloading target to a signed Citrix binary (pcl2bmp.exe) paired with a malicious DLL named ctxmui.dll, which serves as the ZOHOMURK implant.

MINIRECON: Advanced Command and Control
SHARDLOADER v1.0 serves as the delivery vehicle for MINIRECON, an evolution of the known Toneshell malware family. While it retains classic Toneshell behaviors—such as using PEB-walking for API resolution and a specific 13131313 hashing multiplier—it introduces significant upgrades to its communication capabilities.
MINIRECON utilizes WebSocket-over-HTTPS via the WinHTTP library for its Command and Control (C2) traffic. This allows the malware to maintain a persistent, stealthy connection that mimics legitimate web traffic. To ensure robust connectivity in enterprise environments, the implant supports proxy fallback logic and can be configured to ignore certificate validation, allowing it to communicate with self-signed certificates. The implant provides operators with a full suite of capabilities, including dual reverse shells, file transfers, and live remote reconnaissance.

ZOHOMURK: Cloud-Native Exfiltration via Zoho WorkDrive
The second campaign introduces ZOHOMURK, a highly innovative implant that leverages legitimate cloud services to bypass network monitoring. Instead of communicating with a traditional C2 server, ZOHOMURK abuses the Zoho WorkDrive API for both command reception and data exfiltration.
The reconstruction of the ZOHOMURK payload is remarkably complex: 69 distinct functions work in tandem to gather 32 hardcoded 16-byte XMM constants from various memory locations, assembling them into a heap region. The implant authenticates to Zoho’s OAuth API using hardcoded credentials, creating dedicated folders (a “main” folder and an “outbox”) for each victim. It polls the WorkDrive environment for new command files, executes them locally, and uploads the results back to the operator’s outbox. To minimize forensic footprints, command files are deleted immediately after consumption.
Attribution and Defensive Strategy
Acronis TRU has attributed these campaigns to Mustang Panda with high confidence. This attribution is based on shared tradecraft, the reuse of Solid PDF Creator as a sideloading host, code overlaps with Toneshell, and recurring infrastructure patterns, including the C2 domain couldinstallup[.]com. Acronis has collaborated with CERT-In to share these findings and mitigate the impact on affected organizations.
Recommended Hunting Queries and Mitigations
- Process Monitoring: Hunt for unusual processes (like legitimate signed binaries) that invoke
EnumSystemLocalesAimmediately following RWX memory allocations. - Persistence Identification: Monitor for new Run keys or scheduled tasks, specifically those named
SolidPDFPcl2Bmp. - DLL Sideloading Detection: Watch for suspicious file pairings, such as
Project Proposal.exe+SolidPDFCreator.dllorpcl2bmp.exe+ctxmui.dll. - Network Behavior: Audit HTTPS traffic directed toward Zoho WorkDrive originating from non-browser processes, and monitor for WebSocket connections to suspicious/unrecognized domains.
Indicators of Compromise (IoCs)
| Filename / Description | SHA256 Hash |
|---|---|
| Hydropower Cooperation Project Proposal.zip | cd9397797216fd4c08df324937509124e57258328c8e4c6d795c6a2cd25b69b0 |
| SolidPDFCreator.dll | Ebd533de7ca16daa70093b0b1084fb6136b6ba091d6ee0e4199762581e1b2e5a |
| Hydropower Cooperation Project Proposal.exe | Fcf4efa82d477c924d42cc6b71aa672ab2381ca256769925ae34dabe2e77e025 |
| test.doc | 390148f5157c0f6b337ff19d162c3c2ee3e6d782fdfbe11fb1e411c0684fd33b |
| ctxmui.dll – ZOHOMURK Variant 1 | 5f22ec5c14dfd47c92850a5fb3bd8e3754d538b8021b6238238e4020336cfb5c |
| MOU USI-INDSR TAIWAN.zip | F53fd0626404a129dcddb8ee7589387dd7bda7999814e0df46c670af6b3da5f5 |
| SolidPDFCreator.dll (duplicate name) | A43084f5af861f44c75c5273c779cb26d506cab6b51c33746626da504148a4ec |
| ctxmui.dll – ZOHOMURK Variant 2 | F2bed071676feb831ed460489643fd57f6c6c1e0d024a1ea447820276fb13828 |