A fresh Indian government cyberattack has been traced to Mustang Panda, the China-aligned espionage group now weaponising Zoho WorkDrive as a live command-and-control channel. Acronis Threat Research Unit confirmed active compromises inside Indian government networks in 2026, including machines operated by senior administrative staff. Two separate campaigns are running simultaneously, one targeting central government offices and another hitting hydropower sector infrastructure.
What You Need To Know
- Mustang Panda is running 2 simultaneous espionage campaigns against Indian targets in 2026
- Zoho WorkDrive, a legitimate Indian cloud service, is being used as the command-and-control channel
- Acronis Threat Research Unit found compromised machines used by senior administrative staff
- New, previously undocumented malware strains have been deployed inside Indian government networks
Mustang Panda Confirms Indian Government Cyberattack With New Malware Arsenal
Mustang Panda launched a calculated Indian government cyberattack using two distinct campaigns uncovered by Acronis Threat Research Unit in 2026. Attackers deployed previously undocumented malware strains directly onto government machines, including endpoints used by senior administrative personnel. Beyond standard intrusion tools, the group began routing command traffic through Zoho WorkDrive, a legitimate cloud storage service headquartered in Chennai, effectively disguising malicious communications as routine business activity inside government network logs.
Why Is the Zoho WorkDrive Technique So Dangerous for India’s Security Posture?
The choice of Zoho WorkDrive is calculated and alarming. Zoho products are deeply embedded across Indian government departments, state agencies, and private enterprises. Traffic to WorkDrive domains rarely triggers firewall alerts, giving Mustang Panda near-invisible persistence. Security teams chasing indicators of compromise will struggle to separate legitimate Zoho traffic from attacker-controlled command channels. The Indian government cyberattack exploits institutional trust in a homegrown software vendor, a tactic that raises the detection difficulty dramatically compared to conventional C2 infrastructure.
Hydropower facilities are now confirmed secondary targets alongside central government offices. Energy infrastructure attacks carry consequences far beyond data theft: disrupted grid management, delayed project approvals, and compromised engineering data on dams and water flow systems. India’s expanding network of hydropower projects across Himachal Pradesh, Uttarakhand, and Arunachal Pradesh represents high-value intelligence for a state-sponsored adversary. Telecom carriers supporting these facilities also face secondary exposure, since compromised administrative machines often hold network access credentials used across connected systems.
“Abusing a trusted, domestic cloud platform as a command channel is a calculated move. Defenders need to treat outbound traffic to well-known SaaS tools with the same scrutiny they apply to unknown external IPs.” — Cybersecurity Analyst, Critical Infrastructure Sector
What Happens Next After This Indian Government Cyberattack Disclosure
Acronis has already shared threat intelligence with affected organisations, but the containment window is narrow. Security teams inside government ministries must audit all Zoho WorkDrive access logs immediately, looking for non-standard API calls and unusual file-sharing patterns. CERT-In is expected to issue an advisory following this Indian government cyberattack disclosure. Mustang Panda historically pivots to new infrastructure within days of public exposure, so incident responders must act before the group rotates its tooling and reestablishes persistence through alternative channels.
Sources: TRAI ↗ | GSMA ↗ | DOT ↗ Acronis Threat Research Unit (2026); The Hacker News, “Mustang Panda Uses Zoho WorkDrive as Command Channel in Indian Government Attacks,” thehackernews.com/2026/06/mustang-panda-uses-zoho-workdrive-as.html
People Also Ask
- What is the Mustang Panda Indian government cyberattack targeting in 2026? Mustang Panda is targeting Indian central government offices and hydropower sector infrastructure, compromising machines used by senior administrative staff and deploying new malware strains routed through Zoho WorkDrive as a command-and-control channel.
- How does Mustang Panda use Zoho WorkDrive in a cyberattack on the Indian government? Attackers route malicious command-and-control traffic through legitimate Zoho WorkDrive accounts, blending it with normal business traffic to evade firewall detection and avoid triggering standard network security alerts inside government environments.
- How can Indian government agencies defend against Mustang Panda-style cloud C2 attacks? Agencies should audit all outbound SaaS traffic, flag unusual Zoho WorkDrive API calls, enforce strict application whitelisting, and coordinate with CERT-In to receive updated indicators of compromise linked to active Mustang Panda tooling.
