Malware News The Chrysalis Backdoor: A Deep Dive into Lotus Blossom’s toolkit, investigation identified a security incident stemming from Notepad++

[Khushal]

Content source

https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/

Rapid7 Labs, together with the Rapid7 MDR team, has uncovered a sophisticated campaign attributed to the Chinese APT group Lotus Blossom. Active since 2009, the group is known for its targeted espionage campaigns primarily impacting organizations across Southeast Asia and more recently Central America, focusing on government, telecom, aviation, critical infrastructure, and media sectors.

Our investigation identified a security incident stemming from a sophisticated compromise of the infrastructure hosting Notepad++, which was subsequently used to deliver a previously undocumented custom backdoor, which we have dubbed Chrysalis.

The Chrysalis Backdoor: A Deep Dive into Lotus Blossom’s toolkit

Rapid7 Labs, together with the Rapid7 MDR team, has uncovered a sophisticated campaign attributed to the Chinese APT group Lotus Blossom.

www.rapid7.com

 

[Bot]

The Chrysalis Backdoor: A Deep Dive into Lotus Blossom’s toolkit

Rapid7 Labs, together with the Rapid7 MDR team, has uncovered a sophisticated campaign attributed to the Chinese APT group Lotus Blossom.

www.rapid7.com

Rapid7’s write-up (dated Feb 2, 2026) is essentially describing a supply-chain style incident: the infrastructure used to distribute Notepad++ updates was allegedly abused to deliver a custom backdoor (“Chrysalis”), attributed by Rapid7 to the Lotus Blossom APT. The key point is that this is not “a normal malicious clone installer,” but an update-path abuse aimed at selected targets.

What Rapid7 says they actually observed (high-level)

• On affected hosts, execution of notepad++.exe and then GUP.exe (the updater) was followed by a suspicious “update.exe” download/execution from 95.179.213.0.
• That update.exe was an NSIS installer that dropped a hidden “Bluetooth” directory under %AppData% and used DLL sideloading (Rapid7 notes a renamed legitimate Bitdefender Submission Wizard plus a malicious log.dll) to decrypt and run the next stage (Chrysalis).
• Rapid7 also notes the C2 they recovered was already offline during their analysis, so some deeper behavioral details may be incomplete.

What regular users/admins should do (practical, low-risk first)

• Update Notepad++ safely: If you use Notepad++, make sure you are running a version that includes the hardened updater checks (Notepad++ v8.8.9 introduced signature/certificate verification for downloaded installers; v8.9 continued security-related changes). Prefer a manual download from the official Notepad++ site rather than any third-party mirror.
• Quick local checks for common artifacts mentioned in reporting:
  • Look in your %TEMP% (and browser download locations) for suspicious “update.exe” / “AutoUpdater.exe” that you did not intentionally download.
  • Check %AppData% for an unexpected hidden folder named “Bluetooth” and unexpected files like BluetoothService.exe / log.dll as described by Rapid7.
• If you find anything suspicious:
  • Do not try to “clean it manually” if this is a business/government environment—disconnect the device from the network and escalate to your IT/security team for incident response.
  • Submit suspicious files to VirusTotal (or your organization’s sandbox) and scan with reputable endpoint protection.
• Enterprise hunting (if applicable): Rapid7’s post includes network indicators and hashes that defenders can use for internal detection/hunting (treat IOCs as time-sensitive and validate before blocking globally).

Bottom line
If you’re on a current Notepad++ release (v8.8.9+ / v8.9+) and you download from the official project site, you significantly reduce exposure to the specific updater-manipulation path described. If an endpoint shows the “Bluetooth” staging artifacts or unexpected update.exe execution, treat it as a potential compromise and handle it via standard IR process rather than ad-hoc cleanup.

Sources

• 
  [] The Chrysalis Backdoor: A Deep Dive into Lotus Blossom’s toolkit
  [] Notepad++ v8.8.9 release: Vulnerability-fix | Notepad++
  [] Notepad++ v8.9 release: security enhancements | Notepad++
  [] Notepad++ says Chinese government hackers hijacked its software updates for months | TechCrunch
  [] Notepad++ users take note: It's time to check if you're hacked

 

[Divergent]

Technical Analysis & Remediation

Attack Vector & Infection Chain
The compromise leverages an infrastructure-level redirect. When a victim's legitimate notepad++.exe triggers GUP.exe to check for updates, the traffic is intercepted and redirected from notepad-plus-plus.org to the attacker-controlled IP 95[.]179[.]213[.]0.

Initial Payload
The victim downloads a malicious update.exe, which is actually an NSIS installer.

Installation
The script creates a hidden directory at %AppData%\Bluetooth and drops the following artifacts:

BluetoothService.exe
A renamed, legitimate Bitdefender Submission Wizard executable.

log.dll
The malicious loader library.

BluetoothService
Encrypted shellcode payload.

Advanced Evasion & Loader Mechanics
The attack employs DLL Sideloading. When BluetoothService.exe runs, it automatically loads the adjacent malicious log.dll instead of the legitimate library.

Warbird Abuse
A separate loader sample, ConsoleApplication2.exe, was observed abusing Microsoft Warbird (a licensing/code protection framework) to conceal shellcode execution and evade EDR hooks.

Encryption
The malware uses a custom runtime decryption routine. The main module is decrypted using a rolling XOR operations with the hardcoded key gQ2JR&9;.

API Hashing
The loader uses FNV-1a hashing with a MurmurHash-style finalizer to resolve APIs dynamically, bypassing static analysis.

The Chrysalis Backdoor
Once decrypted, the Chrysalis implant executes in memory.

C2 Communication
It contacts api.skycloudcenter.com (resolving to 61[.]4[.]102[.]97) over port 443.

Traffic Masquerading
The URL structure /a/chat/s/{GUID} mimics the Deepseek API to blend in with legitimate AI traffic.

Capabilities
The backdoor supports 16 commands, including:

4T
Interactive cmd[.]exe reverse shell.

4V
Remote process creation.

4W / 4X
File writing (dropping payloads).

4\
Self-removal and cleanup.

Forensic Indicators (Anchors)

Mutex
Global\\Jdhfv_1.0.1 (Used to enforce single instance).

RC4 Key
qwhvb^435h&*7 (Used for config decryption).

User Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.4044.92 Safari/537.36.

Remediation - THE ENTERPRISE TRACK (SANS PICERL)

Phase 1: Identification & Containment

Network Block
Immediately block egress to 95[.]179[.]213[.]0 and 61[.]4[.]102[.]97. Blacklist the domain api.skycloudcenter.com.

Hunt for Mutex
Scan fleet memory for the mutex Global\\Jdhfv_1.0.1.

File System Sweep
Search for the existence of %AppData%\Bluetooth\ and the file BluetoothService.exe.

Process Isolation
Terminate any instances of BluetoothService.exe or update.exe spawning from GUP.exe.

Phase 2: Eradication

Binary Removal
Delete the malicious %AppData%\Bluetooth directory.

Persistence Removal
The malware installs persistence via Windows Service or Registry (Run key) pointing to the binary with the -i flag. Audit services and Run keys for references to BluetoothService.exe.

Root Cause
The vulnerability is in the update infrastructure, not the Notepad++ binary itself (though older updaters lacked strict validation).

Phase 3: Recovery

Reimage
Due to the backdoor's "interactive shell" capability (4T), compromised hosts must be considered fully owned. Reimaging is the only safe recovery method.

Patch
Update Notepad++ to version 8.9.1 or later, which includes hardened signature verification for updates (based on live search context).

Phase 4: Lessons Learned

Supply Chain Review
Audit all software update mechanisms. Restrict GUP.exe (Notepad++ updater) from internet access via firewall rules if centralized patch management is available.

Remediation - THE HOME USER TRACK

Disconnect
Immediately disconnect the infected computer from the internet.

Safety Scan
Since this backdoor allows full remote control, run a full offline antivirus scan.

Manual Removal
Open File Explorer and navigate to %AppData% (type %AppData% in the address bar).

Look for a folder named Bluetooth (ensure "Hidden items" are visible).

If found, this confirms infection. Delete the folder.

Software Update
Uninstall your current version of Notepad++. Download the latest version (v8.9.1+) only from the official notepad-plus-plus.org website or the Microsoft Store.

Password Reset
Because the attacker had shell access, reset all passwords (email, banking, social) using a different, clean device.

Hardening & References

MITRE ATT&CK

T1195.002
Supply Chain Compromise (Software Supply Chain).

T1574.002
Hijack Execution Flow: DLL Side-Loading.

T1027
Obfuscated Files or Information (Warbird/Encrypted Shellcode).

T1140
Deobfuscate/Decode Files or Information.

YARA/Sigma Logic
Alert on process BluetoothService.exe running from %AppData%.

Alert on network traffic to /a/chat/s/ URI patterns.

Reference

Rapid7 Labs Report

Targeted Software (Notepad++)