Indian government agencies and institutions are under attack from a notorious threat actor known as Mustang Panda, who is leveraging Zoho WorkDrive – a cloud-based file sharing and collaboration platform – as a command channel for its malicious activities.
Mustang Panda has been a persistent threat in the region, with a history of targeting high-profile organizations and governments. The group’s tactics often involve sophisticated social engineering and exploitation of vulnerabilities to gain unauthorized access to sensitive systems. Recently, researchers have discovered that Mustang Panda has begun utilizing Zoho WorkDrive as an alternative command and control (C2) channel for its operations.
Zoho WorkDrive is a cloud-based file sharing and collaboration platform used by millions worldwide, including many Indian government agencies. The platform allows users to share files, collaborate on documents, and manage workflows in the cloud. However, it appears that Mustang Panda has compromised accounts within these organizations, using Zoho WorkDrive as a conduit for issuing commands and uploading malicious payloads.
The exploitation of Zoho WorkDrive by Mustang Panda highlights the growing concern of threat actors leveraging legitimate business applications for malicious purposes. These platforms often provide robust security features and strict access controls, but can be vulnerable to targeted attacks or compromised credentials. In this case, it is likely that the attackers gained initial access through phishing or other social engineering tactics before escalating their activities within the Zoho WorkDrive platform.
The implications of this development are significant, as it underscores the importance of multi-factor authentication and regular security audits for cloud-based services. Organizations relying on platforms like Zoho WorkDrive must remain vigilant and ensure that their users’ credentials are secure. Moreover, they should also prioritize employee education on social engineering tactics to prevent initial compromise.
The incident serves as a reminder that even well-protected systems can be vulnerable to targeted attacks when compromised credentials or vulnerabilities are exploited. To stay ahead of such threats, it is essential for organizations to adopt a proactive approach to security, incorporating AI-driven threat detection and continuous vulnerability assessments into their defenses.
Source: The Hacker News — 2026-06-29