Notepad++ Attack Breakdown Reveals Sophisticated Malware and Actionable IoCs

A complex espionage campaign attributed to Chinese APT group Lotus Blossom, active since 2009.

The investigation uncovered a sophisticated compromise of Notepad++ distribution infrastructure that delivered Chrysalis, a previously undocumented custom backdoor with extensive remote access capabilities.

The attack chain began at IP address 95.179.213.0, where execution of notepad++.exe and GUP.exe preceded download of a malicious update.exe file.

This NSIS installer deployed a renamed Bitdefender Submission Wizard executable to the hidden %AppData%Bluetooth directory for DLL sideloading.

When executed, it loaded a malicious log.dll that decrypted the Chrysalis backdoor using custom algorithms combining linear congruential generators, FNV-1a hashing, and MurmurHash finalization.

The Chrysalis backdoor reveals itself as a feature-rich implant implementing 15 distinct command capabilities.

Configuration data encrypted with RC4 key “qwhvb^435h&*7” disclosed the C2 URL https://api.skycloudcenter.com/a/chat/s/70521ddf-a2ef-4adf-9cf0-6d8e24aaa821, which deliberately mimics Deepseek API formatting to blend with legitimate traffic.

The URL resolves to Malaysian IP address 61.4.102.97. The backdoor communicates using user agent “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.4044.92 Safari/537.36” to appear as standard browser traffic.

Command capabilities include spawning interactive reverse shells (4T), remote process execution (4V), file read/write operations (4Y, 4W, 4X), complete file transfer protocols (4c, 4d), self-removal functionality (4), and drive enumeration (4_).

A mutex “GlobalJdhfv_1.0.1” prevents multiple instances. Persistence is established through Windows service creation or registry modifications.

Chrysalis implements two sophisticated API hashing routines using FNV-1a with constant 0x811C9DC5 and MurmurHash finalization (0x85EBCA6B).

String obfuscation uses position-dependent character transformation combining bit rotations and XOR operations.

The main module uses hardcoded XOR key “gQ2JR&9;” applied five times through XOR, addition, and subtraction operations.

Investigators discovered ConsoleApplication2.exe, a loader exploiting Microsoft’s undocumented Warbird code protection framework.

The loader invokes NtQuerySystemInformation with SystemCodeFlowTransition parameter (0xB9) to execute embedded Metasploit block_api shellcode within Microsoft-signed binary memory.

This technique downloads Cobalt Strike beacons from api.wiresguard.com/users/system.

Forensic analysis uncovered a renamed Tiny-C-Compiler executing malicious C source code from conf.c.

The shellcode employs rolling XOR decryption before transferring execution to Cobalt Strike HTTPS beacon using http-get endpoint api.wiresguard.com/update/v1 and http-post endpoint api.wiresguard.com/api/FileUpload/submit.

According to Rapid7, threat intelligence pivoting identified four additional loader variants sharing identical Cobalt Strike configurations and the same public key, indicating coordinated campaign activity.

Attribution to Lotus Blossom is based on similarities with Symantec research, particularly the Bitdefender Submission Wizard DLL sideloading technique and shared infrastructure indicators.

The Chrysalis campaign demonstrates significant evolution in tradecraft, combining custom malware with commodity frameworks and rapid operationalization of public security research.

Organizations should monitor for hidden %AppData% directories containing executables, NtQuerySystemInformation abuse patterns, and suspicious Deepseek-style API traffic to detect potential compromise.

Indicators of compromise (IoCs)

Network indicators

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.