A sophisticated espionage campaign attributed to the Chinese Advanced Persistent Threat (APT) group Lotus Blossom (also known as Billbug).
The threat actors compromised the infrastructure hosting the popular text editor Notepad++ to deliver a custom, previously undocumented backdoor named “Chrysalis”.
This campaign, discovered by Rapid7 researcher Ivan Feigl, primarily targets organizations in the government, telecommunications, aviation, and critical infrastructure sectors across Southeast Asia and Central America.
The investigation began with a security incident stemming from the execution of a malicious file named update[.]exe, which was downloaded from a suspicious IP address (95.179.213[.]0) following the legitimate execution of notepad++[.]exe and GUP[.]exe (the generic updater for Notepad++)
Forensic analysis revealed that update[.]exe is an NSIS installer, a tool frequently abused by Chinese APTs for initial payload delivery.
Upon execution, the installer creates a hidden directory in the %AppData% folder named “Bluetooth” and drops several files, including BluetoothService.exe and log.dll.
The executable BluetoothService.exe is actually a renamed, legitimate Bitdefender Submission Wizard binary. The attackers utilize this legitimate file to perform DLL sideloading, forcing it to load the malicious log.dll instead of the genuine library.
The Chrysalis Backdoor
Once loaded, log.dll decrypts and executes a shellcode payload the Chrysalis backdoor. This malware is a sophisticated, feature-rich implant designed for long-term persistence rather than simple “smash-and-grab” operations, Rapid7 observed.
Chrysalis employs several advanced evasion techniques:
- Custom Encryption: It uses a linear congruential generator for decryption rather than standard cryptographic APIs, making it harder for automated tools to flag.
- API Hashing: The malware resolves necessary Windows APIs using a custom hashing algorithm (FNV-1a combined with a MurmurHash-style finalizer) to evade static analysis and antivirus detection.
- C2 Communication: The backdoor communicates with its Command and Control (C2) server (
api.skycloudcenter.com) over HTTPS. Notably, the C2 URL structure mimics the Deepseek API endpoints (e.g.,/a/chat/s/{GUID}), likely an attempt to blend in with legitimate AI-related network traffic.
Chrysalis is highly versatile, supporting 16 different commands controlled by a switch statement in the code. Key capabilities include:
- Interactive Shell: Spawning a fully interactive reverse shell via
cmd.exe(Switch4T). - File Operations: Reading, writing, and deleting files, as well as enumerating directory contents (Switches
4W,4X,4Y). - Process Execution: Launching remote processes (Switch
4V). - Self-Removal: A “cleanup” mode that removes persistence artifacts and deletes the malware from the disk (Switch
4).
Advanced Loading with Microsoft Warbird
Beyond Chrysalis, researchers discovered a loader variant (ConsoleApplication2.exe) that leverages Microsoft Warbird, a complex code protection framework, to hide its execution flow.
This loader abuses the NtQuerySystemInformation system call with the undocumented SystemCodeFlowTransition (0xB9) class.
By copying encrypted data into the memory of a Microsoft-signed binary (clipc.dll) and invoking this specific system call, the loader triggers the Warbird mechanism to decrypt and execute the shellcode in the kernel context.
This technique effectively bypasses user-mode hooks and standard EDR monitoring, marking a significant evolution in Billbug’s tradecraft.
The campaign is attributed to Lotus Blossom with moderate confidence, based on the specific use of the Bitdefender sideloading technique and shared cryptographic keys found in the Cobalt Strike beacons deployed alongside Chrysalis.
Indicators of Compromise (IoCs)
Here are the Indicators of Compromise (IoCs) and MITRE ATT&CK TTPs associated with the Lotus Blossom campaign and the Chrysalis backdoor.
File Indicators
| File Name | SHA-256 Hash | Description |
|---|---|---|
| update.exe | a511be5164dc1122fb5a7daa3eef9467e43d8458425b15a640235796006590c9 | Malicious NSIS Installer used for initial payload delivery |
| [NSIS.nsi] | 8ea8b83645fba6e23d48075a0d3fc73ad2ba515b4536710cda4f1f232718f53e | Extracted NSIS installation script |
| BluetoothService.exe | 2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924 | Renamed Bitdefender Submission Wizard (legitimate binary abused for sideloading) |
| BluetoothService | 77bfea78def679aa1117f569a35e8fd1542df21f7e00e27f192c907e61d63a2e | Encrypted shellcode file |
| log.dll | 3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad | Malicious DLL sideloaded by BluetoothService.exe |
| u.bat | 9276594e73cda1c69b7d265b3f08dc8fa84bf2d6599086b9acc0bb3745146600 | Temporary batch file used for self-deletion/cleanup |
| conf.c | f4d829739f2d6ba7e3ede83dad428a0ced1a703ec582fc73a4eee3df3704629a | C source file containing shellcode bytes (Metasploit block API) |
| libtcc.dll | 4a52570eeaf9d27722377865df312e295a7a23c3b6eb991944c2ecd707cc9906 | Library for Tiny C Compiler, used to compile/run conf.c |
| admin | 831e1ea13a1bd405f5bda2b9d8f2265f7b1db6c668dd2165ccc8a9c4c15ea7dd | File retrieved from api.wiresguard.com, related to second-stage shellcode |
| loader1 | 0a9b8df968df41920b6ff07785cbfebe8bda29e6b512c94a3b2a83d10014d2fd | Variant loader sample found in public repositories |
| uffhxpSy | 4c2ea8193f4a5db63b897a2d3ce127cc5d89687f380b97a1d91e0c8db542e4f8 | Shellcode associated with Loader 1 |
| loader2 | e7cd605568c38bd6e0aba31045e1633205d0598c607a855e2e1bca4cca1c6eda | Variant loader sample found in public repositories |
| 3yzr31vk | 078a9e5c6c787e5532a7e728720cbafee9021bfec4a30e3c2be110748d7c43c5 | Shellcode associated with Loader 2 |
| ConsoleApplication2.exe | b4169a831292e245ebdffedd5820584d73b129411546e7d3eccf4663d5fc5be3 | Loader 3; uses Microsoft Warbird for shellcode execution |
| system | 7add554a98d3a99b319f2127688356c1283ed073a084805f14e33b4f6a6126fd | Shellcode associated with ConsoleApplication2.exe |
| s047t5g.exe | fcc2765305bcd213b7558025b2039df2265c3e0b6401e4833123c461df2de51a | Loader 4; variant sample sharing shellcode with Loader 3 |
Network Indicators
| Indicator | Type | Context |
|---|---|---|
| 95.179.213.0 | IP Address | Host for update.exe download |
| api.skycloudcenter.com | Domain | Chrysalis Backdoor C2 |
| api.wiresguard.com | Domain | Cobalt Strike Beacon C2 |
| 61.4.102.97 | IP Address | Resolution for api.skycloudcenter.com (Malaysia) |
| 59.110.7.32 | IP Address | C2 IP associated with Loader 1 |
| 124.222.137.114 | IP Address | C2 IP associated with Loader 2 |
MITRE ATT&CK TTPs
| ATT&CK ID | Name |
|---|---|
| T1204.002 | User Execution: Malicious File |
| T1036 | Masquerading |
| T1027 | Obfuscated Files or Information |
| T1027.007 | Obfuscated Files or Information: Dynamic API Resolution |
| T1140 | Deobfuscate/Decode Files or Information |
| T1574.002 | DLL Side-Loading |
| T1106 | Native API |
| T1055 | Process Injection |
| T1620 | Reflective Code Loading |
| T1059.003 | Command and Scripting Interpreter: Windows Command Shell |
| T1083 | File and Directory Discovery |
| T1005 | Data from Local System |
| T1105 | Ingress Tool Transfer |
| T1041 | Exfiltration Over C2 Channel |
| T1071.001 | Application Layer Protocol: Web Protocols (HTTP/HTTPS) |
| T1573 | Encrypted Channel |
| T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys |
| T1543.003 | Create or Modify System Process: Windows Service |
| T1480.002 | Execution Guardrails: Mutual Exclusion |
| T1070.004 | Indicator Removal on Host: File Deletion |
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
