{ "type": "Domain", "indicator": "editor.gleeze.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/editor.gleeze.com", "alexa": "http://www.alexa.com/siteinfo/editor.gleeze.com", "indicator": "editor.gleeze.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": {}, "pulse_info": { "count": 0, "pulses": [], "references": [], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "69e827168edcf67707285b4e", "name": "Same packet, different magic: Hits India's banking sector and Korea geopolitics", "description": "A new variant of the LOTUSLITE backdoor, version 1.1, has been identified targeting India's banking sector and South Korean diplomatic circles. The backdoor is delivered via DLL sideloading using legitimate Microsoft-signed executables and initially through CHM files containing malicious JavaScript. It communicates with dynamic DNS-based command-and-control servers over HTTPS, supporting remote shell access, file operations and session management. Code-level analysis reveals direct lineage to LOTUSLITE v1.0, including identical command structures, shared persistence mechanisms, and residual exports from the original codebase. The campaign demonstrates incremental improvements including updated magic values, API resolution techniques, and delivery mechanisms evolving from CHM-based to JavaScript loaders to DLL sideloading. Infrastructure hosted under Dynu Systems shows continuity with previous operations.", "author_name": "AlienVault", "modified": "2026-05-22T02:03:39.507000", "created": "2026-04-22T01:40:38.268000", "revision": 2, "tlp": "white", "public": 1, "adversary": "MUSTANG PANDA", "indicators": [ { "id": 4284213163, "indicator": "editor.gleeze.com", "type": "hostname", "created": "2026-04-22T01:40:39", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4322481981, "indicator": "5abac6560eeb77f71e4cd2e1b33d973e", "type": "FileHash-MD5", "created": "2026-04-22T01:40:39", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4322481982, "indicator": "1ffd797a49df270494b8cb2d2d0d679387fbd44a", "type": "FileHash-SHA1", "created": "2026-04-22T01:40:39", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4322481983, "indicator": "18bc0e0f627d90fb283aa243055b46d0bfb5d85a7240d8f63ec2d1c8a2c15893", "type": "FileHash-SHA256", "created": "2026-04-22T01:40:39", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4322481984, "indicator": "6d22d50634c2c2fc853bfd2b564e1837d51087aa684a9c4415634c8c13c44135", "type": "FileHash-SHA256", "created": "2026-04-22T01:40:39", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4322481985, "indicator": "7beede15ecdc7d3f01db4b699e5fe5f4f2e7c79cd7ef0e918ed0583bf621de7d", "type": "FileHash-SHA256", "created": "2026-04-22T01:40:39", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4322481986, "indicator": "9bf2f3b15a621789f898f9bd7710ba857e3f238a4937b64fdc47ef9a92e0b05d", "type": "FileHash-SHA256", "created": "2026-04-22T01:40:39", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4322481987, "indicator": "af31ebe9085df408bedcf8f027fb60389897e5c8d3b0e9695fea29774f9d3aec", "type": "FileHash-SHA256", "created": "2026-04-22T01:40:39", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4322481988, "indicator": "cc0ff7e25ea686171919575916e2d9ebaeb5800a063f370a6980ea791f8851b8", "type": "FileHash-SHA256", "created": "2026-04-22T01:40:39", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4322481989, "indicator": "cosmosmusic.com", "type": "domain", "created": "2026-04-22T01:40:39", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4322481990, "indicator": "www.cosmosmusic.com", "type": "hostname", "created": "2026-04-22T01:40:39", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null } ], "tags": [ "espionage", "chm files", "backdoor", "south korea diplomacy", "lotuslite", "dll sideloading", "india banking", "javascript loader" ], "targeted_countries": [ "United States of America", "British Indian Ocean Territory", "India" ], "malware_families": [ "LOTUSLITE" ], "attack_ids": [ "T1132.001", "T1059.007", "T1036.005", "T1204.002", "T1573.001", "T1497.001", "T1566.001", "T1106", "T1005", "T1140", "T1083", "T1041", "T1547.001", "T1218.001", "T1027", "T1059.003", "T1027.002", "T1071.001", "T1574.002", "T1105" ], "references": [ "https://www.acronis.com/en/tru/posts/same-packet-different-magic-mustang-panda-hits-indias-banking-sector-and-korea-geopolitics/" ], "industries": [ "Finance", "Government" ], "extract_source": [], "more_indicators": false, "indicator_count": 12 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "editor.gleeze.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "editor.gleeze.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780180411.1405334 }