Published: · Region: South Asia · Category: cyber

Mustang Panda’s New Campaigns Target India’s Government and Energy Nerve Centers

Researchers say the Mustang Panda hacking group is running concurrent campaigns against Indian government and energy entities, using new malware and abusing Zoho WorkDrive as a covert channel. The operations put sensitive state data and energy infrastructure in play — and show how familiar tools can be turned into quiet weapons.

India’s bureaucracy and energy sector have become the latest proving ground for a persistent cyber adversary that has long blended political espionage with technical experimentation.

The Acronis Threat Research Unit reported on 30 June that it has been tracking two concurrent cyber campaigns attributed to the Mustang Panda group, which it says are targeting Indian government entities and energy‑sector organizations. The campaigns reportedly deliver new malware implants dubbed ZOHOMURK and MINIRECON and exploit Zoho WorkDrive, a widely used legitimate cloud storage platform, as part of their infrastructure.

In the observed operations, Mustang Panda is said to be leveraging Zoho WorkDrive instances to host or relay malicious payloads, effectively hiding in plain sight by riding on a service deeply embedded in Indian government workflows. The new malware families are designed to establish footholds on compromised systems, perform reconnaissance, and exfiltrate data, giving attackers a window into sensitive networks if successful.

For Indian officials and corporate security teams, the target set is worrying. Government ministries and agencies hold diplomatic cables, policy drafts, and citizen data; energy companies manage information about grid operations, fuel logistics, and critical infrastructure layouts. Even if these campaigns are focused on espionage rather than disruption, the information they could yield would be highly valuable in any future crisis or negotiation involving India.

Operationally, the choice to abuse Zoho WorkDrive is significant. The platform is widely used across Indian public and private sectors, and blocking it outright would be costly and impractical. That gives attackers a durable channel that defenders are reluctant to shut down, forcing security teams into the more delicate task of detecting malicious use inside otherwise legitimate traffic. It also raises the stakes for cloud service providers, who are under pressure to spot and act on abuse without undermining the trust of their core customers.

Strategically, the campaigns underscore how state‑linked or state‑tolerated hacking groups are probing not just foreign ministries and defense contractors, but the broader digital infrastructure of governance and energy. Mustang Panda, which has been linked in previous public reporting to China‑aligned interests, has a track record of targeting governments and NGOs across Asia and Europe. Its focus on India’s energy and government space fits a pattern of collecting information that could be leveraged in broader strategic competition.

For ordinary Indians, the threat is largely invisible but not abstract. Compromised government systems can translate into leaked identity data, exposed legal files, or insight into how authorities plan to manage everything from blackouts to border tensions. In the energy sector, detailed knowledge of operational networks does not automatically mean power cuts — but it lowers the barrier to more aggressive cyber operations if relations ever sour.

The memorable lesson here is that in modern geopolitics, the same cloud drive that stores cabinet minutes or power‑plant schematics can overnight become the enemy’s tunnel into the system.

What to watch next are indicators of official response: advisories or technical alerts from India’s national cyber agencies, any public guidance from Zoho about securing WorkDrive against abuse, and whether other security firms corroborate or expand on the reported campaigns. If similar attack patterns are spotted in other countries using the same tools, it will suggest Mustang Panda is refining a playbook that could extend well beyond India’s borders.

Sources

Related Coverage

GLOBAL

SimpleHelp Flaw Exploited in the Wild Puts IT Networks and AI Tools at Risk

Attackers are exploiting a newly disclosed SimpleHelp remote management vulnerability, CVE‑2026‑48558, to bypass authentication and hijack technician sessions. From there, they are deploying TaskWeaver and the Djinn Stealer malware, targeting cloud accounts, code repos, AI tools, SSH keys, browsers and crypto wallets across victim networks.
GLOBAL

Chinese Lab’s ‘Cyber Nuclear Weapon’ Claim Puts States on Digital Alert

A Chinese artificial intelligence lab is claiming to have built a “cyber nuclear weapon” capable of major attacks on governments, raising alarms over how far AI-enabled offensive tools may already have progressed. For security agencies and critical infrastructure operators, the risk is less about the boast and more about what it signals in the race to weaponize code.
WARNING

Germany Inflation Undershoot Hits ECB Credibility as Gold Logs Worst Quarter Since 2013

Germany’s June CPI dropped well below forecasts around 12:00–12:02 UTC, locking in a deeper disinflation trend just as gold heads for a 13% quarterly loss on Fed hike expectations. The policy gap between a pressured ECB and a still‑hawkish Fed is widening, with direct consequences for euro funding costs, bond curves, and safe‑haven positioning across portfolios.
WARNING

Rolling Power Outages Hit Ecuador, Risk to Oil and Metals Flows

Reports of widespread electricity cuts across multiple Ecuadorian cities point to a renewed systemic power-supply problem. If outages extend to industrial hubs and pipeline operations, they could disrupt oil, mining, and export logistics, supporting a modest risk premium in crude and some base metals.
WARNING

Germany Inflation Undershoot Deepens ECB Dovish Pressure as Gold Rout Widens

At 12:00–12:02 UTC, Destatis data showed German June CPI and harmonised CPI running below forecasts, signaling weaker price pressure in the eurozone’s anchor economy. With gold already heading for its worst quarter since 2013 on Fed hike bets, the data harden expectations of a more dovish ECB trajectory, repricing euro rates, FX and safe‑haven flows in real time.
AFRICA

IMF Warns 26% Aid Drop Leaves Sub‑Saharan States Exposed on Health, Schools and Security

Bilateral aid to sub‑Saharan Africa fell by about 26% in 2025, the IMF says, even though such support often funds more than half of health, education and safety nets in low‑income and fragile states. The cutback raises hard questions for governments already juggling debt, security threats and basic service delivery.