India's government and energy sectors targeted with ZOHOMURK and MINIRECON
Essential information
- Published
- 29/06/2026 22:25
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- cloud c2 dll sideloading espionage government targeting hydropower india minirecon pubload shadowpad shardloader toneshell websocket zoho workdrive zohomurk
- Related entities
- 11 indicators, 3 observables, 1 intrusion sets (apt), 20 techniques (mitre), 7 malware
Description
Mustang Panda orchestrated two concurrent espionage campaigns targeting Indian government entities and hydropower infrastructure between May and June 2026. The campaigns leveraged DLL sideloading via legitimate executables to deploy newly identified malware including SHARDLOADER, MINIRECON, and ZOHOMURK. MINIRECON represents an evolution of Toneshell with WebSocket-based command-and-control capabilities, while ZOHOMURK abuses Zoho WorkDrive cloud services for C2 communications and data exfiltration. Distribution occurred through spear-phishing with lures themed around India-Taiwan cooperation agreements and hydropower projects. The activity demonstrates code overlaps with previous tooling, infrastructure proximity to known operations, and targeting patterns aligned with Chinese strategic intelligence collection priorities. Multiple compromised government systems were identified, with coordination conducted through CERT-In for victim notification and remediation.