Mustang Panda Zoho WorkDrive C2: Detection and Response for Indian Government Targets

Security Arsenal is tracking an active campaign by the China-aligned threat group Mustang Panda (aka TA416) specifically targeting the Indian government and hydropower sectors. According to intelligence from the Acronis Threat Research Unit, this adversary has successfully compromised networks utilized by senior administrative staff.

The critical differentiator in this campaign is the abuse of Zoho WorkDrive, a legitimate cloud storage service, as a Command and Control (C2) infrastructure. This "Living-off-Trusted-Sites" technique allows the attackers to blend in with normal administrative traffic, bypassing traditional perimeter defenses that whitelist known SaaS platforms. Defenders in the public sector and critical infrastructure must immediately assume that trusted cloud connectivity is being weaponized for espionage.

Technical Analysis

Threat Actor: Mustang Panda (China-aligned APT)
Targets: Indian Government networks, Hydropower/Critical Infrastructure entities.
Mechanism: The group is deploying new, previously undocumented malicious software designed to interact with Zoho WorkDrive APIs. Instead of connecting to a traditional "low-reputation" IP address, the malware authenticates to or accesses content within Zoho WorkDrive to retrieve commands and exfiltrate data.
Attack Chain:
1. Initial Access: Likely phishing or credential theft targeting senior staff (specific details of the vector are under investigation, but the victims are high-value administrative personnel).
2. Execution: Deployment of custom malware variants.
3. C2 Communication: The malware establishes an encrypted channel to workdrive.zoho.com or related Zoho endpoints. It reads files or metadata hosted on the drive to receive instructions, mimicking legitimate file synchronization traffic.
Exploitation Status: Confirmed active exploitation. "Active compromises" have been identified inside government networks.

Detection & Response

Detecting this campaign requires shifting focus from blocking "bad" IPs to analyzing "bad" behavior within "good" destinations. The following rules hunt for suspicious processes interacting with Zoho infrastructure and unusual API access patterns.

Sigma Rules

YAML

---
title: Mustang Panda - Suspicious Process Accessing Zoho WorkDrive
id: 8c4d2e10-1b5f-4f7e-9a3d-6e7f8a9b0c1d
status: experimental
description: Detects non-browser processes communicating with Zoho WorkDrive, a known TTP in recent Mustang Panda campaigns.
references:
 - https://thehackernews.com/2026/06/mustang-panda-uses-zoho-workdrive-as.html
author: Security Arsenal
date: 2026/06/02
tags:
 - attack.command_and_control
 - attack.t1071.001
logsource:
 category: network_connection
 product: windows
detection:
 selection:
   DestinationHostname|contains:
     - 'workdrive.zoho.com'
     - 'zoho.com'
 filter_legit:
   Image|endswith:
     - '\chrome.exe'
     - '\msedge.exe'
     - '\firefox.exe'
     - '\zoho.com\Zoho Docs.exe'
 condition: selection and not filter_legit
falsepositives:
  - Legitimate backup utilities syncing to Zoho
  - Unauthorized BYOD tools
level: high
---
title: Mustang Panda - PowerShell Web Request to Zoho Infrastructure
id: 9d5e3f21-2c6a-5g8f-0b4e-7f8g9a0c1d2e
status: experimental
description: Detects PowerShell processes making web requests to Zoho domains, typical of custom loaders or C2 scripts.
references:
 - https://thehackernews.com/2026/06/mustang-panda-uses-zoho-workdrive-as.html
author: Security Arsenal
date: 2026/06/02
tags:
 - attack.execution
 - attack.t1059.001
logsource:
 category: process_creation
 product: windows
detection:
 selection_script:
   Image|endswith:
     - '\powershell.exe'
     - '\pwsh.exe'
 selection_net:
   CommandLine|contains:
     - 'Invoke-WebRequest'
     - 'wget'
     - 'curl'
     - 'Net.WebClient'
 selection_target:
   CommandLine|contains:
     - 'zoho'
     - 'workdrive'
 condition: all of selection_*
falsepositives:
  - Administrative scripts managing Zoho accounts
level: high
---
title: Mustang Panda - Suspicious File Creation in Zoho Sync Paths
id: 0e6f4a32-3d7b-6h9g-1c5f-0g1h2i3j4k5l
status: experimental
description: Detects creation of executable or script files within common Zoho local synchronization directories.
references:
 - https://thehackernews.com/2026/06/mustang-panda-uses-zoho-workdrive-as.html
author: Security Arsenal
date: 2026/06/02
tags:
 - attack.defense_evasion
 - -attack.t1564.001
logsource:
 category: file_create
 product: windows
detection:
 selection:
   TargetFilename|contains:
     - '\Zoho\'
     - '\Zoho WorkDrive\'
   TargetFilename|endswith:
     - '.exe'
     - '.dll'
     - '.ps1'
     - '.bat'
     - '.vbs'
 filter_legit:
   Image|contains:
     - '\Zoho'
 condition: selection and not filter_legit
falsepositives:
  - Legitimate software updates via Zoho management tools
level: medium

KQL (Microsoft Sentinel / Defender)

This query hunts for network connections to Zoho domains initiated by processes other than standard web browsers.

KQL — Microsoft Sentinel / Defender

let ZohoDomains = dynamic(['workdrive.zoho.com', 'zoho.com', 'files.zoho.com']);
let Browsers = dynamic(['chrome.exe', 'msedge.exe', 'firefox.exe', 'brave.exe', 'opera.exe']);
DeviceNetworkEvents
| where RemoteUrl has_any (ZohoDomains)
| where InitiatingProcessFilename !in~ (Browsers)
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, RemoteUrl, RemotePort
| order by Timestamp desc

Velociraptor VQL

Hunt for active processes connecting to Zoho infrastructure and inspect file modifications in sync directories.

VQL — Velociraptor

-- Hunt for non-browser processes connecting to Zoho domains
SELECT Pid, Name, CommandLine, Username, RemoteAddress, RemotePort
FROM winnetstat()
WHERE RemoteAddress =~ 'zoho' OR RemoteAddress =~ 'workdrive'
  AND Name NOT IN ('chrome.exe', 'msedge.exe', 'firefox.exe')

-- Hunt for recently modified files in Zoho sync directories
SELECT FullPath, Mtime, Atime, Size, Mode
FROM glob(globs='C:\Users\*\Zoho\**\*', accessor='file')
WHERE Mtime > now() - 7d
  AND Mode =~ 'x' -- Executable files

Remediation Script (PowerShell)

This script assists in isolating affected systems by identifying anomalous connections to Zoho WorkDrive and optionally modifying the hosts file as an emergency containment measure (pending policy review).

PowerShell

# Emergency Audit and Containment Script for Mustang Panda Zoho C2
# Requires Administrator Privileges

Write-Host "[*] Auditing active connections to Zoho WorkDrive..." -ForegroundColor Cyan

# Get active TCP connections matching Zoho endpoints
$suspiciousConnections = Get-NetTCPConnection | 
    Where-Object { 
        $_.State -eq 'Established' -and 
        $_.RemoteAddress -ne '0.0.0.0' -and 
        ($_.OwningProcess -ne $null)
    } | 
    ForEach-Object { 
        $process = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
        if ($process) {
            try {
                $remoteHost = [System.Net.Dns]::GetHostEntry($_.RemoteAddress).HostName
                if ($remoteHost -like '*zoho*' -or $remoteHost -like '*workdrive*') {
                    [PSCustomObject]@{
                        ProcessName = $process.ProcessName
                        PID        = $_.OwningProcess
                        Path       = $process.Path
                        RemoteAddr = $_.RemoteAddress
                        RemoteHost = $remoteHost
                        Status     = "SUSPICIOUS"
                    }
                }
            } catch { /* Ignore DNS resolution failures */ }
        }
    }

if ($suspiciousConnections) {
    $suspiciousConnections | Format-Table -AutoSize
    Write-Host "[!] WARNING: Suspicious Zoho connections detected. Check processes immediately." -ForegroundColor Red
    
    # Emergency Block: Add to HOSTS file (WARNING: Verify business continuity first)
    $hostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
    $blockEntry = "0.0.0.0 workdrive.zoho.com"
    
    $confirm = Read-Host "Do you want to block workdrive.zoho.com via HOSTS file? (y/N)"
    if ($confirm -eq 'y') {
        Add-Content -Path $hostsPath -Value $blockEntry
        Write-Host "[+] Blocked workdrive.zoho.com in hosts file." -ForegroundColor Green
    }
} else {
    Write-Host "[+] No suspicious active Zoho connections found." -ForegroundColor Green
}

Write-Host "[*] Scanning for Zoho sync folders with executables..." -ForegroundColor Cyan
Get-ChildItem -Path "C:\Users\" -Recurse -Filter "*.exe" -ErrorAction SilentlyContinue | 
    Where-Object { $_.Directory.FullName -like '*Zoho*' } | 
    Select-Object FullName, CreationTime, LastWriteTime | Format-Table

Remediation

Immediate Isolation: Identify and isolate the senior administrative staff machines identified by Acronis or detected via the Sigma rules above. Do not rely solely on IP blocking; the C2 is hosted on a legitimate SaaS platform.
Access Control Review: Audit Zoho WorkDrive logs. Look for authentication from unusual geolocations, new API keys created recently, or massive data transfers (exfiltration).
Credential Reset: Assume the attacker has obtained credentials. Force a password reset for all accounts with access to the targeted Zoho WorkDrive environments and enforce MFA.
Traffic Inspection: If a full block of Zoho WorkDrive is not business-viable, configure your proxy/NGFW to perform deep packet inspection (SSL/TLS Decryption) for *.zoho.com to validate the content against known malware signatures.
Forensic Acquisition: Capture full memory and disk images of compromised hosts for analysis of the "new malicious software" to identify additional persistence mechanisms.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub