Mustang Panda Espionage Campaigns Target India's Government and Energy Sectors

In June 2026, Mustang Panda launched two espionage campaigns targeting India's hydropower sector and government entities. The attacks utilized lure documents related to cooperation agreements with Taiwan, delivering malware including SHARDLOADER, MINIRECON, and ZOHOMURK. These campaigns employed DLL-based loaders and weaponized archives to sideload malicious components. The threat actor demonstrated knowledge of India's software compliance landscape, indicating a sophisticated approach. Both campaigns shared similar tools and techniques, suggesting a moderate retooling effort while maintaining a focus on Indian targets. Acronis has attributed these activities to Mustang Panda, a group linked to China, based on deployment patterns and operational characteristics. The ongoing threat highlights the persistent interest of state-aligned actors in India's critical infrastructure.

Key Points: • Mustang Panda targeted India's hydropower and government sectors with new malware. • The campaigns used lure documents related to Taiwan, showcasing geopolitical motivations. • SHARDLOADER, MINIRECON, and ZOHOMURK were the primary tools used in these attacks.