What Happened
The China-aligned espionage group Mustang Panda is running two campaigns against the Indian government and hydropower targets, deploying new malware and turning a legitimate cloud service into its command channel. Acronis Threat Research Unit found active compromises inside Indian government networks, including machines used by senior administrative staff, and worked with
Why It Matters
The report says Mustang Panda used Zoho WorkDrive as a command-and-control channel and for data theft in campaigns against Indian government and hydropower targets, with Acronis identifying active compromises and malware delivery using sideloading and cloud abuse.[2][5] CyberSE.AI analysis: this is best classified as malicious AI use only in the broad sense that it reflects advanced adversarial tradecraft; the article does not describe AI-specific abuse, so the main security implication is defending against cloud C2, endpoint sideloading, and suspicious OAuth-driven activity.[2][5]
CyberSE Analysis
This signal maps to malicious AI use. Organizations using AI agents, LLM APIs, SaaS integrations, or sensitive data workflows should review whether this class of issue could create unauthorized tool execution, data leakage, weak approval gates, or unmanaged supply-chain exposure.
Recommended Actions
- Restrict AI agent tool permissions and production write paths.
- Review sensitive data access across prompts, logs, embeddings, memory, and SaaS integrations.
- Add human approval workflows for high-impact or state-changing actions.
- Run prompt injection and indirect prompt injection tests against affected workflows.
- Document the owner, control gap, and remediation deadline for this risk class.
Source
https://thehackernews.com/2026/06/mustang-panda-uses-zoho-workdrive-as.html