216.73.216.86

India's government and energy sectors targeted with ZOHOMURK and MINIRECON

· Published 29/06/2026 22:25

Export JSON

Essential information

Published
29/06/2026 22:25
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
cloud c2 dll sideloading espionage government targeting hydropower india minirecon pubload shadowpad shardloader toneshell websocket zoho workdrive zohomurk
Related entities
11 indicators, 3 observables, 1 intrusion sets (apt), 20 techniques (mitre), 7 malware

Description

Mustang Panda orchestrated two concurrent campaigns targeting Indian government entities and hydropower infrastructure between May and June 2026. The campaigns leveraged via legitimate executables to deploy newly identified malware including SHARDLOADER, MINIRECON, and ZOHOMURK. MINIRECON represents an evolution of with -based command-and-control capabilities, while ZOHOMURK abuses Zoho WorkDrive cloud services for C2 communications and data exfiltration. Distribution occurred through spear-phishing with lures themed around -Taiwan cooperation agreements and hydropower projects. The activity demonstrates code overlaps with previous tooling, infrastructure proximity to known operations, and targeting patterns aligned with Chinese strategic intelligence collection priorities. Multiple compromised government systems were identified, with coordination conducted through CERT-In for victim notification and remediation.

External references