Comprehensive Threat Exposure Management Platform
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
The Chrysalis backdoor represents a sophisticated supply chain attack orchestrated by the Chinese state-sponsored APT group Lotus Blossom (also known as LOTUS PANDA, Billbug, Bronze Elgin, Spring Dragon, Raspberry Typhoon, and Thrip). This advanced persistent threat campaign targeted Notepad++ users across multiple regions by compromising the infrastructure hosting the popular text editor software. The attack, which began in June 2025, involved hijacking Notepad++ update traffic to deliver malicious payloads, including the previously undocumented Chrysalis backdoor, Cobalt Strike beacons, and Metasploit-based shellcode loaders to carefully selected targets.
The threat actors compromised the hosting provider’s infrastructure supporting the Notepad++ distribution domain notepad-plus-plus.org, enabling them to selectively redirect targeted users to malicious servers. These servers delivered trojanized update packages containing sophisticated malware payloads designed to establish persistent access, conduct reconnaissance, and maintain command-and-control communications. The campaign primarily affected government agencies, financial services organizations, information technology firms, telecommunications providers, aviation entities, critical infrastructure operators, and media organizations across Southeast Asia, Oceania, and Central America.
The Chrysalis backdoor malware deployed during this supply chain attack demonstrated advanced capabilities including heavy obfuscation techniques, custom API hashing mechanisms, RC4-encrypted configuration data, and HTTPS-based command-and-control infrastructure. The backdoor established persistence through Windows services and registry Run keys, collected comprehensive system information, and supported remote shell access, process execution, file management operations, directory enumeration, and self-removal capabilities. This attack highlights the evolving threat landscape surrounding software supply chain compromises and the sophisticated tactics employed by state-sponsored threat actors.
Notepad++ infrastructure was affected by a supply chain attack rooted in compromised hosting infrastructure rather than vulnerabilities in the source code itself. This sophisticated attack campaign was attributed to the Chinese APT group Lotus Blossom, which abused a former shared hosting provider to intercept and redirect software update traffic to malicious command-and-control servers. The attackers gained unauthorized access to the hosting environment supporting the Notepad++ distribution domain, enabling them to manipulate legitimate software update mechanisms.
The compromise began in June 2025 when attackers successfully gained access to the hosting environment supporting the Notepad++ distribution domain notepad-plus-plus.org. This privileged access position allowed threat actors to selectively reroute update requests, targeting specific geographic regions and industry sectors. Although direct server access was terminated during scheduled kernel and firmware updates on September 2, 2025, the attackers had retained credentials to internal services until December 2, 2025, which enabled continued traffic redirection operations. The attack specifically exploited weak update verification mechanisms present in older versions of Notepad++, highlighting critical security gaps in software distribution infrastructure.
The attack chain was triggered when users launched the legitimate GUP.exe updater component of Notepad++. Instead of retrieving a valid software update, the updater was redirected to download a malicious update.exe file from attacker-controlled infrastructure. This malicious file was an NSIS (Nullsoft Scriptable Install System) installer, a delivery method frequently employed by advanced persistent threat actors for deploying malware payloads. The NSIS installer created a hidden directory named “Bluetooth” in the AppData folder, deployed a renamed legitimate Bitdefender Submission Wizard binary, and placed a malicious log.dll file alongside the legitimate executable. This sophisticated setup enabled DLL sideloading techniques, allowing the malicious DLL to decrypt and execute the Chrysalis backdoor payload while appearing to execute from a trusted security software component.
The Chrysalis backdoor demonstrated highly advanced capabilities designed for long-term persistent access and comprehensive system compromise. The malware employed heavy obfuscation techniques to evade detection, utilized custom API hashing mechanisms to hide imported functions, implemented RC4-encrypted configuration data to protect operational parameters, and established HTTPS-based command-and-control traffic to blend with legitimate network communications. The backdoor established persistence through multiple methods including Windows services creation and registry Run keys modification, ensuring continued execution across system reboots.
The Chrysalis backdoor collected detailed system information from compromised endpoints, including hardware specifications, installed software inventories, network configurations, and user account details. The malware supported comprehensive remote access capabilities including remote shell access for interactive command execution, arbitrary process execution for deploying additional payloads, file management operations for data exfiltration, directory enumeration for reconnaissance activities, and self-removal functionality to eliminate forensic evidence when operations concluded.
Multiple parallel attack chains were actively deployed between July and October 2025, demonstrating the sustained nature of this supply chain compromise campaign. The threat actors continuously rotated command-and-control domains, loader components, and malware payloads to evade detection and maintain operational persistence. Additional malicious components deployed during this campaign included Metasploit shellcode frameworks that delivered Cobalt Strike beacons, in-memory loaders built with the Tiny C Compiler to reduce forensic artifacts, and a sophisticated loader that abused Microsoft’s internal Warbird protection framework. This campaign demonstrates a sustained, infrastructure-driven supply chain attack characterized by evolving techniques, continuous operational adaptation, and disciplined operational security practices typical of advanced state-sponsored threat actors.
Organizations should conduct comprehensive threat hunting operations to search endpoints for suspicious BluetoothService.exe processes loading log.dll from %AppData%\Bluetooth directories. Security teams should pay particular attention to instances where BluetoothService.exe matches the cryptographic hash of the legitimate Bitdefender Submission Wizard binary but is located in non-standard file system paths. This detection approach can identify compromised systems where the DLL sideloading technique was successfully deployed to execute the Chrysalis backdoor malware.
Security operations teams should implement detection capabilities for NSIS installer activity by monitoring for the creation of %LocalAppData%\Temp\ns .tmp directories and investigating the origin of any identified NSIS installers. Organizations should establish behavioral analytics to detect NSIS installer execution, especially when these installers are spawned from software update processes. Investigating the network sources and file origins of NSIS installers can reveal malicious update delivery mechanisms before backdoor deployment occurs.
Organizations should deploy comprehensive application control policies to prevent execution of unauthorized binaries from AppData directories and other non-standard file system locations commonly abused by threat actors for establishing persistence. Application allowlisting technologies can enforce strict execution policies that permit only approved software to run, significantly reducing the attack surface available to threat actors attempting to deploy malicious payloads through supply chain compromise techniques.
Security monitoring systems should generate alerts on sequential execution of reconnaissance commands including whoami, tasklist, systeminfo, and netstat -ano, particularly when command output is redirected to files. This pattern of sequential system reconnaissance commands was consistently observed across multiple Chrysalis backdoor execution chains and represents a reliable indicator of compromise for detecting post-exploitation reconnaissance activities.
Network security monitoring should detect and investigate any network traffic or DNS resolutions involving the temp.sh file hosting service, which is rarely observed in legitimate corporate environments. The threat actors utilized the temp.sh service to exfiltrate collected system information from compromised endpoints. Blocking or alerting on communications with this file hosting service can disrupt data exfiltration operations and provide early warning of potential compromises.
Organizations should implement rigorous controls to verify the integrity and authenticity of all third-party software applications and updates. Security teams should consider implementing cryptographic verification mechanisms beyond basic certificate validation, including hash verification of downloaded updates against known-good values, implementation of software bill of materials (SBOM) verification, and network-level monitoring of software update traffic to detect anomalous redirection attempts. Organizations should maintain inventories of all third-party software applications and establish processes for validating update sources before deployment.
The Chrysalis backdoor supply chain attack demonstrates sophisticated adversary tradecraft mapped to multiple MITRE ATT&CK tactics and techniques:
Initial Access: T1195.002 (Compromise Software Supply Chain) – Attackers compromised the Notepad++ hosting infrastructure to deliver malicious updates to targeted users.
Execution: T1204.002 (Malicious File), T1059.003 (Windows Command Shell), T1106 (Native API) – The attack chain involved user execution of trojanized updates, command shell execution for reconnaissance, and native API calls for malware functionality.
Persistence: T1547.001 (Registry Run Keys / Startup Folder), T1543.003 (Windows Service) – The Chrysalis backdoor established persistence through registry modifications and Windows service creation.
Defense Evasion: T1574.002 (DLL Sideloading), T1027.007 (Dynamic API Resolution), T1140 (Deobfuscate/Decode Files or Information), T1036 (Masquerading), T1055 (Process Injection), T1620 (Reflective Code Loading), T1480.002 (Mutual Exclusion) – The malware employed multiple evasion techniques including DLL sideloading with legitimate binaries, custom API hashing, encryption, process masquerading, and reflective loading.
Discovery: T1083 (File and Directory Discovery), T1082 (System Information Discovery) – The backdoor conducted extensive system reconnaissance to collect information about the compromised environment.
Collection: T1005 (Data from Local System) – The malware collected data from local systems for exfiltration.
Command and Control: T1071.001 (Web Protocols), T1573 (Encrypted Channel), T1105 (Ingress Tool Transfer) – The Chrysalis backdoor utilized HTTPS communications for command-and-control with encrypted channels and supported downloading additional tools.
Exfiltration: T1041 (Exfiltration Over C2 Channel) – Collected system information was exfiltrated through the established command-and-control infrastructure.
Impact: T1070.004 (File Deletion) – The malware included self-removal capabilities to eliminate forensic evidence.
The attack infrastructure utilized numerous malicious URLs for command-and-control communications and payload delivery, including endpoints at 59.110.7.32, 124.222.137.114, api.wiresguard.com, 45.76.155.202, 45.32.144.255, 95.179.213.0, self-dns.it.com, 45.77.31.210, cdncheck.it.com, safe-dns.it.com, and api.skycloudcenter.com. These URLs supported various malicious functionalities including system information submission, metadata collection, file upload operations, update delivery, and command-and-control communications.
Multiple malicious file hashes associated with the Chrysalis backdoor campaign and related payloads have been identified through forensic analysis, including SHA1 values for malicious DLL components, NSIS installers, loader modules, and backdoor payloads. Security teams should integrate these hash values into endpoint detection and response platforms, threat intelligence feeds, and security information and event management systems.
The threat actors operated command-and-control infrastructure using domains including api.skycloudcenter.com and api.wiresguard.com. Organizations should block network communications to these domains and monitor for any historical connections that may indicate prior compromise.
The attack infrastructure utilized IP addresses 95.179.213.0, 61.4.102.97, 59.110.7.32, and 124.222.137.114 for hosting malicious payloads and command-and-control operations. Network security controls should block connections to these IP addresses.
Chrysalis backdoor artifacts were deployed to specific file system locations including %appdata%\ProShow\load, %appdata%\Adobe\Scripts\alien.ini, and %appdata%\Bluetooth\BluetoothService. Security teams should search endpoints for files in these locations as indicators of potential compromise.
https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
https://notepad-plus-plus.org/news/hijacked-incident-info-update/
Get through updates and upcoming events, and more directly in your inbox