Listen to this Post

Introduction
In June 2026, the Acronis Threat Research Unit (TRU) uncovered two concurrent espionage campaigns orchestrated by the China‑aligned threat actor Mustang Panda (aka TA416, BASIN, BRONZE PRESIDENT, Earth Preta, Twill Typhoon). The campaigns targeted Indian government entities and hydropower‑related organizations—particularly those involved in cooperation agreements with Taiwanese institutions—with a novel malware suite comprising SHARDLOADER, MINIRECON, and ZOHOMURK. What makes this operation exceptionally dangerous is the adversary’s abuse of Zoho WorkDrive, a legitimate cloud storage platform commonly deployed in Indian government environments, to conceal command‑and‑control (C2) traffic and exfiltrate sensitive data. This article dissects the technical mechanics of each malware component, provides actionable detection and hardening guidance, and equips security professionals with the knowledge to hunt for and mitigate this evolving threat.
Learning Objectives
- Understand the end‑to‑end attack chain of Mustang Panda’s SHARDLOADER campaigns, from spear‑phishing to payload execution.
- Analyze the technical capabilities of MINIRECON (WebSocket‑based reconnaissance implant) and ZOHOMURK (Zoho WorkDrive‑abusing C2 implant).
- Learn how to detect DLL sideloading, cloud service abuse, and persistence mechanisms using Windows/Linux commands, EDR telemetry, and network monitoring.
- Implement practical hardening measures to defend against similar espionage‑motivated attacks leveraging trusted applications and legitimate cloud platforms.
You Should Know
- The Attack Chain: From Spear‑Phishing to SHARDLOADER Execution
Mustang Panda’s campaigns begin with highly targeted spear‑phishing emails containing malicious ZIP archives. The lures are geopolitically and sector‑relevant—hydropower project proposals, memoranda of understanding (MOUs), and other official‑looking documents. Upon extraction and execution, the victim triggers a DLL sideloading chain:
- Campaign I (SHARDLOADER v1.0): A legitimate signed binary—Solid PDF Creator—is abused to load a malicious DLL that stages and executes MINIRECON.
- Campaign II (SHARDLOADER v1.1): A signed Citrix Receiver binary is used in the same sideloading technique to deliver ZOHOMURK.
This technique allows the malware to run under trusted‑looking processes, bypassing application whitelisting and basic endpoint protections.
Step‑by‑Step Analysis of the Sideloading Attack
- Delivery: Victim receives a spear‑phishing email with a malicious ZIP attachment.
- Extraction: The ZIP contains a legitimate signed executable (e.g.,
SolidPDFCreator.exe) and a malicious DLL with a name the executable expects to load (e.g., `version.dll` orwinmm.dll). - Execution: When the user launches the signed binary, Windows loads the adjacent malicious DLL via standard DLL search order.
- Payload Decryption & Launch: The malicious DLL decrypts and injects either MINIRECON or ZOHOMURK into memory.
- Persistence: The implant establishes persistence via registry Run keys or scheduled tasks.
Detection Commands (Windows)
To hunt for DLL sideloading activity, focus on process creation events where a signed binary loads unsigned DLLs from non‑system paths:
PowerShell: Find processes loading DLLs from user-writable directories
Get-Process | ForEach-Object {
$<em>.Modules | Where-Object {
$</em>.FileName -like "C:\Users\" -or
$<em>.FileName -like "C:\ProgramData\"
} | Select-Object @{N="Process";E={$</em>.Process.ProcessName}}, FileName
}
Sysinternals Sigcheck: Verify digital signatures of all DLLs loaded by a suspicious process
sigcheck -accepteula -c -1obanner -v <path_to_suspicious_executable>
Detection Commands (Linux – for cross‑platform reconnaissance)
While this specific campaign targets Windows, security analysts should be aware of similar sideloading techniques on Linux via LD_PRELOAD:
Check for LD_PRELOAD hijacking echo $LD_PRELOAD grep -r "LD_PRELOAD" /etc/ld.so.preload /etc/profile.d/ 2>/dev/null Monitor for suspicious library loads using auditd auditctl -w /usr/lib -p wa -k library_load ausearch -k library_load --format text | tail -50
2. MINIRECON: The WebSocket‑Based Reconnaissance Implant
MINIRECON is a newly identified implant belonging to the TONESHELL malware family. It is a lightweight remote‑access backdoor that communicates with its C2 server over WebSocket on port 443, intentionally skipping certificate validation to evade inspection.
Key Capabilities
- Reconnaissance: Enumerates system information, running processes, network configurations, and user credentials.
- Remote Control: Executes arbitrary commands received via the WebSocket channel.
- Stealth: By using port 443 and WebSocket protocols, traffic resembles legitimate HTTPS/web applications, making it difficult to differentiate from normal enterprise activity.
Network Detection (Zeek/Suricata)
Monitor for WebSocket handshakes (Upgrade: websocket) to unusual domains or IPs:
Zeek: Look for WebSocket connections to suspicious domains echo 'websocket $orig_h $orig_p $resp_h $resp_p' >> /opt/zeek/share/zeek/site/local.zeek Then run: zeek -r capture.pcap local.zeek Suricata rule example alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Possible MINIRECON WebSocket C2"; http.request_header; content:"Upgrade"; http_header; content:"websocket"; http_header; flow:to_server,established; sid:1000001; rev:1;)
Endpoint Investigation (Windows)
Check for processes initiating outbound WebSocket connections:
PowerShell: Find processes with active TCP connections on port 443 to suspicious IPs
Get-1etTCPConnection -State Established | Where-Object {
$<em>.RemotePort -eq 443 -and
$</em>.RemoteAddress -1otin @("13.107.246.0/24", "20.70.0.0/16") exclude known CDNs
} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, OwningProcess
Map PIDs to process names
Get-Process -Id (Get-1etTCPConnection -State Established | Where-Object RemotePort -eq 443).OwningProcess
- ZOHOMURK: Abusing Zoho WorkDrive for C2 and Exfiltration
ZOHOMURK is a C/C++ DLL implant that represents a paradigm shift in C2 concealment. Instead of using custom domains or IPs, it abuses Zoho WorkDrive—a legitimate cloud storage platform widely adopted in Indian government sectors—for command‑and‑control, data exfiltration, and remote task execution.
How ZOHOMURK Operates
- Authentication: The implant uses hardcoded OAuth credentials to authenticate with Zoho WorkDrive APIs.
- Tasking: The C2 operator places commands in specific files or folders within the compromised Zoho WorkDrive account.
- Polling: ZOHOMURK periodically polls the WorkDrive folder for new instructions.
- Exfiltration: Stolen data is uploaded to WorkDrive as innocuous‑looking files, blending with legitimate cloud storage traffic.
Why This Is Dangerous
Because Zoho WorkDrive is a trusted enterprise application, traditional security tools (firewalls, proxies, DLP) often whitelist its traffic. Malicious requests are indistinguishable from legitimate cloud synchronization activities.
Detection Strategies
Network‑Level Detection
Monitor for anomalous Zoho WorkDrive API usage:
Zeek: Detect excessive file uploads to Zoho WorkDrive echo 'http $orig_h $orig_p $resp_h $resp_p $uri $method' >> /opt/zeek/site/local.zeek Look for patterns like: /api/v1/upload, /api/v1/files, etc. Suricata: Alert on unusual Zoho WorkDrive API calls alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ZOHOMURK - Suspicious Zoho WorkDrive API"; http.uri; content:"/api/v1/"; http.uri; content:"upload"; http.uri; flow:to_server,established; sid:1000002; rev:1;)
Endpoint Detection (Windows)
Monitor for processes accessing Zoho WorkDrive APIs outside of expected patterns:
PowerShell: Check for processes with network connections to Zoho WorkDrive domains
$zohoDomains = @("workdrive.zoho.com", "workdrive.zohoexternal.com", ".zoho.com")
Get-1etTCPConnection -State Established | Where-Object {
$remote = $<em>.RemoteAddress -as [bash]
$zohoDomains | ForEach-Object { if ($remote -like $</em>) { return $true } }
} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, OwningProcess
Event Logs: Look for unusual file creations/modifications in Zoho WorkDrive sync folders
Get-WinEvent -LogName "Security" | Where-Object {
$<em>.Id -eq 4663 -and $</em>.Message -like "ZohoWorkDrive"
} | Select-Object TimeCreated, Message
API Monitoring (Cloud / CASB)
If your organization uses Zoho WorkDrive, implement Cloud Access Security Broker (CASB) policies to:
- Alert on API calls originating from non‑corporate IP ranges.
- Detect bulk file downloads or uploads outside business hours.
- Flag authentication attempts using hardcoded credentials (OAuth tokens with unusual user agents).
- Persistence Mechanisms: Registry Run Keys and Scheduled Tasks
Mustang Panda employs redundant persistence strategies to maintain long‑term access even after reboots or cleanup attempts.
Registry Run Keys
The malware adds entries under:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Common key names observed in Mustang Panda campaigns include ChromePDFBrowser, AdobeLicensingHelper, and FreePDF.
Scheduled Tasks
Scheduled tasks are created to execute the loader at regular intervals (e.g., every 5 minutes):
schtasks /Create /TN "ChromeBrowser-chromiumim" /SC MINUTE /MO 5 /TR "C:\ProgramData\malware.exe"
Detection Commands (Windows)
Enumerate all Run keys
Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" | Select-Object
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" | Select-Object
Enumerate all scheduled tasks with suspicious names
schtasks /query /fo CSV | Where-Object { $_ -match "Chrome|Adobe|PDF|Update" }
Use Sysinternals Autoruns for comprehensive persistence analysis
autoruns -accepteula -a -c -1obanner
Removal Commands
Remove malicious Run key Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -1ame "ChromePDFBrowser" Delete malicious scheduled task schtasks /Delete /TN "ChromeBrowser-chromiumim" /F
5. Operational Mistakes: Attribution and Investigation Leverage
Despite the sophistication of the campaign, Acronis researchers noted several operational mistakes that aided attribution:
- Hardcoded OAuth credentials embedded in the malware binaries.
- Recurring development artifacts (e.g., debug strings, PDB paths).
- Plaintext identifiers and mutex/named event names.
- Reused infrastructure (domains, IPs, SSL certificates) from previous Mustang Panda operations.
How to Leverage This for Threat Hunting
- YARA Rules: Create signatures to detect the specific hardcoded credentials or mutex names.
- Memory Forensics: Dump process memory and search for plaintext OAuth tokens.
- Network Logs: Correlate C2 domains (e.g.,
couldinstallup[.]com) with known Mustang Panda infrastructure.
Sample YARA Rule (Conceptual)
rule ZOHOMURK_OAUTH_CREDENTIALS {
meta:
description = "Detects hardcoded OAuth credentials in ZOHOMURK"
author = "Threat Hunter"
strings:
$oauth = /client_id=[A-Za-z0-9]+/ nocase
$secret = /client_secret=[A-Za-z0-9]+/ nocase
$zoho = "zoho" nocase
condition:
$oauth and $secret and $zoho
}
6. Hardening and Mitigation Strategies
Application Control
- Implement application whitelisting (e.g., Windows AppLocker or WDAC) to prevent execution of unsigned binaries in user‑writable directories.
- Restrict DLL loading to trusted paths only. Use `SetDllDirectory` or `LOAD_LIBRARY_SEARCH_DEFAULT_DIRS` to prevent sideloading.
Cloud Service Governance
- Adopt a CASB to monitor and restrict Zoho WorkDrive API usage.
- Implement Zero Trust Network Access (ZTNA) for cloud applications.
- Rotate OAuth tokens regularly and use conditional access policies.
Endpoint Detection and Response (EDR)
- Deploy EDR solutions capable of detecting DLL sideloading (e.g., process lineage analysis, anomalous library loads).
- Enable memory scanning to detect in‑memory shellcode execution.
- Configure network detection rules for WebSocket C2 and anomalous cloud API calls.
User Awareness
- Conduct spear‑phishing simulations with geopolitically themed lures.
- Train users to verify email senders and avoid opening unsolicited ZIP attachments.
7. Incident Response Checklist
If you suspect SHARDLOADER, MINIRECON, or ZOHOMURK activity:
1. Isolate affected hosts immediately.
2. Collect forensic artifacts:
- Memory dumps (for shellcode and injected implants).
- Registry hives (Run keys, scheduled tasks).
- Network captures (WebSocket handshakes, Zoho WorkDrive API calls).
3. Analyze the malicious DLLs and decrypted payloads.
4. Revoke any compromised OAuth credentials.
- Review Zoho WorkDrive audit logs for unauthorized file access.
- Deploy YARA rules and IoC sweeps across the enterprise.
7. Report to relevant CERT/CSIRT teams.
What Undercode Say
- Key Takeaway 1: Mustang Panda’s abuse of Zoho WorkDrive represents a dangerous evolution in C2 concealment—trusted cloud platforms are now primary attack vectors, not just delivery mechanisms. Traditional perimeter defenses are insufficient against this threat.
-
Key Takeaway 2: The combination of DLL sideloading, in‑memory execution, and cloud‑based C2 creates a multi‑layered evasion strategy that demands a defense‑in‑depth approach: application whitelisting, EDR with memory analysis, CASB for cloud monitoring, and continuous threat hunting.
-
Key Takeaway 3: Operational mistakes (hardcoded credentials, debug artifacts) are a gift to defenders. Proactive threat intelligence sharing and YARA rule development can turn adversary carelessness into detection opportunities.
-
Analysis: This campaign underscores that nation‑state espionage is increasingly leveraging legitimate enterprise services to bypass security controls. The use of geopolitically themed lures targeting hydropower and government entities suggests a strategic focus on critical infrastructure and policy‑sensitive information. Defenders must assume that attackers will exploit any trusted application—from PDF creators to cloud storage—and adjust their monitoring accordingly. The shift toward living‑off‑the‑land techniques and cloud‑native C2 is not a trend; it is the new normal.
Prediction
-
+1 Expect a surge in cloud‑based C2 abuse across multiple APT groups, leveraging platforms like Google Drive, Dropbox, and OneDrive in addition to Zoho WorkDrive. Defenders will need to adopt CASB and UEBA solutions to detect anomalous cloud API usage.
-
-1 Smaller organizations without dedicated security teams will remain highly vulnerable to these tactics, as they lack the resources to monitor cloud API activity or implement robust EDR. This will lead to increased supply‑chain risks as attackers pivot from government targets to their vendors and partners.
-
+1 The security community will respond with open‑source detection tools and community‑driven IoC repositories specific to cloud‑abusing malware, democratizing threat hunting capabilities for resource‑constrained teams.
-
-1 Mustang Panda and similar actors will likely refine their tradecraft—encrypting OAuth credentials, randomizing mutex names, and rotating infrastructure—making attribution harder and requiring more sophisticated behavioral analytics.
-
+1 Increased collaboration between cloud providers (Zoho, Microsoft, Google) and cybersecurity firms will yield native detection capabilities within cloud platforms, enabling automated alerts for suspicious API usage patterns.
-
-1 The geopolitical targeting of energy and government sectors will intensify, with adversaries increasingly leveraging AI‑generated lures to craft more convincing spear‑phishing emails, reducing the effectiveness of user awareness training alone.
-
+1 The MITRE ATT&CK framework will likely expand its Cloud and Application Layer techniques to include specific sub‑techniques for cloud storage abuse, providing defenders with standardized detection and mitigation guidance.
-
-1 The sophistication gap between nation‑state actors and commercial security tools will widen, as attackers invest in custom implant development (like ZOHOMURK) while many organizations rely on legacy signature‑based defenses.
-
+1 Threat hunting teams that proactively simulate cloud‑abuse scenarios in red‑team exercises will develop the muscle memory needed to detect and respond to these attacks faster than adversaries can adapt.
-
-1 Unless organizations adopt Zero Trust architecture—including micro‑segmentation, continuous authentication, and least‑privilege access—the abuse of trusted applications and cloud services will remain an Achilles’ heel in enterprise security.
Stay vigilant, hunt proactively, and never trust—always verify.
▶️ Related Video (80% Match):
https://www.youtube.com/watch?v=Bo4K35yP3E0
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Flavioqueiroz Shardloader – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


