1. The Cause
2nd February: it was confirmed that the vendor’s website has been compromised for at least 5 months (between June 2025 & November/December 2025).
- The attack allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org
- This was abused to deliver an undocumented custom backdoor, now dubbed as “Chrysalis”
- This was due to infrastructural weaknesses on the hosting provider’s end.
To address this issue, notepad++’s website is migrated to a new hosting provider.
2. Overview Of The Malware
The campaign is being attributed to the APT Group Lotus Blossom (ID: G0030); a well-documented nation-state actor.
Every piece of malware was neatly packed in a NSIS installer file. Following are it’s contents:
- NSIS installation script
- BluetoothService.exe (Renamed a Bitdefender file, then abused it for DLL sideloading)
- BluetoothService (Encrypted shellcode)
- log.dll (The said malicious DLL loaded by “BluetoothService.exe”)
The attackers took a real Bitdefender program, renamed it, and used it to trick Windows into loading a malicious DLL file that ran the malware. (DLL sideloading)
3. The Implant
Action 1: Notepad++ is opened (On its own, this is completely normal.)
Action 2: GUP.exe runs next (Legitimate ; the auto-updater for Notepad++) Action 3: A program called “update.exe” runs – This is where things get interesting.
3a. Update.exe
- Update.exe is download from “95.179.213.0”
- As per VT, it’s got a Bad Reputation : https://www.virustotal.com/gui/url/b9fd40e71672371f3172674ae17c30183d6accc367b61590097f5510bc50568c
Analysis show that it is an NSIS installer (Tool to create windows installers)
Upon unpacking, it extracts:
- NSIS installation script
- BluetoothService.exe
- BluetoothService
- log.dll
3b. BluetoothService.exe
- The “BluetoothService.exe” is just the renamed version of a legit Bitdefender program.
- The attackers used this as a loader by placing a malicious DLL (log.dll) beside it.
- When the renamed program runs, it loads the malicious DLL due to how Windows resolves DLLs.
3c. log.dll
- Windows looks for required DLLs in the same directory as the executable before looking in system folders; this is the mechanism that is abused by the attackers in this case.
- This file has 2 functions in it; LogInit & LogWrite
- LogInit loads “BluetoothService (Encrypted shellcode)” into the memory of the running process.
- LogWrite decrypts and execute the shellcode
- It implements API Hashing function (Resolves required APIs at execution)
4. The Malware itself
Once decrypted by the log.dll, Chrysalis is uncovered; A deliberate anti-analysis tradecraft that’s persistent, loaded with capabilities, utilizes advanced evasion techniques.
- Evasions of Signature -based detections: Abuses legitimate executables for DLL sideloading with a generic DLL name.
- AV/Static Analysis/YARA Evasion: Directly calling the Windows APIs in specific combinations/order can be detected as a sign of malicious behaviour by most AVs and security solutions hence Separate custom API hashing mechanisms are implemented in both the loader and payload. This also delays behavioural detections
- layered obfuscation and a structured C2 communication model.
- The code is intentionally such that it conceals strings, make static analysis difficult, and evades signature-based detection. The names of the DLLs that the main function calls are constructed on the go using 2 separation functions; these functions implement a custom, position-dependent character obfuscation scheme meaning that each character is transformed using multiple binary mathematical operations (XOR, Multiplication, bit rotations) to ensure that identical characters are transformed diversely.
- Once these DLLs are load, the backdoor begins executing the main logic which includes configuration to establish communication with the C2 (command-and-control) to achieve objectives.
- First, the malware must decrypt its configuration; the “BluetoothService” file saves the encrypted configuration at a specific memory offset and is of an expected memory length. Once again, this technique makes the static analysis more complex as the analyst does not know where the configuration will be, or where in the memory the decryption key will be.
4a. Runtime
The program initializes like a normal windows program by performing a MSVC C runtime initialization after which it dynamically reconstructs and loads multiple DLLs needed to run; the names of these DLLs are constructed on the go and the process is described in detail in the former heading.
Once this is done, the malware must access its configurations and establish communication with the C2. Initially, the configuration is encrypted and the malware has the key hardcoded at a specific memory offset and of specific length (which are also hardcoded into it). Once the backdoor has taken ahold of the decryption key, (and it knows that the algorithm is RC4), it decrypts the configuration using this key (qwhvb^435h&*7).
4b. Communications
The configuration reveals the following information:
- Command and Control (C2) url: https://api[.]skycloudcenter[.]com/a/chat/s/70521ddf-a2ef-4adf-9cf0-6d8e24aaa821 (URL resolves to 61.4.102.97)
- Name of the module: BluetoothService
- User agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.4044.92 Safari/537.36
Before comms start, the malware has already:
- Resolved networking APIs via API hashing
- Loaded required DLLs
- Initialized runtime structures and configurations.
To blend in with the normal traffic, C2 server and backdoor communicates in HTTP making it look like normal windows application traffic.
When the Chrysalis backdoor runs, it interprets command-line arguments and, if none or only specific ones are present, it proceeds to install itself persistently before doing anything else. Its persistence behavior is controlled by the first process instance it launches without special flags.
Chrysalis differentiates its operational mode based on the command-line arguments passed at startup:
| Argument | Mode | What Happens |
| (None) | Installation | Sets persistence (creates service or registry autorun), then restarts itself with a launcher flag and exits. |
| -i | Launcher | Spawns a new instance with a payload flag then exits. |
| -k | Payload | Skips persistence checks and runs the main backdoor logic. |
So, when it first runs without arguments, Chrysalis installs persistence and then restarts itself to actually run the malicious payload. Persistence is set up primarily via service creation or registry as a fall back mechanism.
Once done, a mutex(“mutual exclusion object” is a synchronization primitive used in programming to protect shared resources from concurrent access by multiple threads) is registered to ensure only one instance of this being executed; if another instance exists, malware is terminated. Else, if the check is clear, information gathering begins; malware queries for the following:
- Current time
- Installed AVs
- OS version
- user name
- computer name
Next, the computer name, user name, OS version and string “1.01” are concatenated and the data is hashed. This value is later turned into its decimal ascii representation and used most likely as a unique identifier of the infected host.
Chrysalis’ first beacon typically includes:
- System details (hostname, OS, architecture)
- A unique identifier (GUID-based)
- A campaign/implant identifier
- Possibly other telemetry
This is packaged in an HTTP request to the C2 URL and All of this happens using Windows’ built-in HTTP stack, hence the traffic is encrypted using TLS which helps in hide content from network detection.
Conclusion
The discovery of the Chrysalis backdoor is a testament to the statement that the only true way to a secure environment is with continuous monitoring and detection. MMC helps organizations by providing MDR and 24/7 SOC (Security Operation Center) services to ensure that they’re protected in the ever-evolving landscape of cyber security.
Indicators of compromise (IoCs)
File indicators
Note: data may appear cut-off or hidden due to the string lengths in column 2. You can copy the full string by highlighting what is visible.
| update.exe | a511be5164dc1122fb5a7daa3eef9467e43d8458425b15a640235796006590c9 |
| [NSIS.nsi] | 8ea8b83645fba6e23d48075a0d3fc73ad2ba515b4536710cda4f1f232718f53e |
| BluetoothService.exe | 2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924 |
| BluetoothService | 77bfea78def679aa1117f569a35e8fd1542df21f7e00e27f192c907e61d63a2e |
| log.dll | 3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad |
| u.bat | 9276594e73cda1c69b7d265b3f08dc8fa84bf2d6599086b9acc0bb3745146600 |
| conf.c | f4d829739f2d6ba7e3ede83dad428a0ced1a703ec582fc73a4eee3df3704629a |
| libtcc.dll | 4a52570eeaf9d27722377865df312e295a7a23c3b6eb991944c2ecd707cc9906 |
| admin | 831e1ea13a1bd405f5bda2b9d8f2265f7b1db6c668dd2165ccc8a9c4c15ea7dd |
| loader1 | 0a9b8df968df41920b6ff07785cbfebe8bda29e6b512c94a3b2a83d10014d2fd |
| uffhxpSy | 4c2ea8193f4a5db63b897a2d3ce127cc5d89687f380b97a1d91e0c8db542e4f8 |
| loader2 | e7cd605568c38bd6e0aba31045e1633205d0598c607a855e2e1bca4cca1c6eda |
| 3yzr31vk | 078a9e5c6c787e5532a7e728720cbafee9021bfec4a30e3c2be110748d7c43c5 |
| ConsoleApplication2.exe | b4169a831292e245ebdffedd5820584d73b129411546e7d3eccf4663d5fc5be3 |
| system | 7add554a98d3a99b319f2127688356c1283ed073a084805f14e33b4f6a6126fd |
| s047t5g.exe | fcc2765305bcd213b7558025b2039df2265c3e0b6401e4833123c461df2de51a |
Network indicators
| 95.179.213.0 |
| api[.]skycloudcenter[.]com |
| api[.]wiresguard[.]com |
| 61.4.102.97 |
| 59.110.7.32 |
| 124.222.137.114 |
MITRE TTPs
| ATT&CK ID | Name |
| T1204.002 | User Execution: Malicious File |
| T1036 | Masquerading |
| T1027 | Obfuscated Files or Information |
| T1027.007 | Obfuscated Files or Information: Dynamic API Resolution |
| T1140 | Deobfuscate/Decode Files or Information |
| T1574.002 | DLL Side-Loading |
| T1106 | Native API |
| T1055 | Process Injection |
| T1620 | Reflective Code Loading |
| T1059.003 | Command and Scripting Interpreter: Windows Command Shell |
| T1083 | File and Directory Discovery |
| T1005 | Data from Local System |
| T1105 | Ingress Tool Transfer |
| T1041 | Exfiltration Over C2 Channel |
| T1071.001 | Application Layer Protocol: Web Protocols (HTTP/HTTPS) |
| T1573 | Encrypted Channel |
| T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys |
| T1543.003 | Create or Modify System Process: Windows Service |
| T1480.002 | Execution Guardrails: Mutual Exclusion |
| T1070.004 | Indicator Removal on Host: File Deletion |
*IOCs contributed by @AIexGP on X.
*IOCs taken from Rapid7’s blog “The Chrysalis Backdoor: A Deep Dive into Lotus Blossom’s toolkit”
Sources:
Rapid7’s Research: https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
Notepad++ Press Release: https://notepad-plus-plus.org/news/hijacked-incident-info-update/
