The Chrysalis Backdoor: A Deep Dive into Lotus Blossom's toolkit
Rapid7 Labs has uncovered a sophisticated campaign attributed to the Chinese APT group Lotus Blossom, involving a new custom backdoor named Chrysalis. The attack compromised Notepad++ infrastructure to deliver the backdoor. Analysis revealed multiple custom loaders, including one using Microsoft Warbird for obfuscation. The Chrysalis backdoor has extensive capabilities for information gathering, file operations, and remote command execution. Additional artifacts found include Cobalt Strike beacons and Metasploit payloads. The campaign shows Lotus Blossom evolving its tactics, mixing custom and off-the-shelf tools with advanced obfuscation techniques to evade detection.
AI Analysis
Technical Summary
The Chrysalis backdoor represents a new addition to the toolkit of the Chinese advanced persistent threat (APT) group Lotus Blossom, as uncovered by Rapid7 Labs. This campaign notably compromised the infrastructure of Notepad++, a widely used text editor, to deliver the backdoor payload. Chrysalis is characterized by multiple custom loaders, one of which uses Microsoft Warbird, a known obfuscation framework, to hinder detection and analysis. The backdoor itself supports a broad range of malicious activities, including detailed information gathering, file operations such as upload and download, and remote command execution, enabling attackers to maintain persistent and flexible control over compromised systems. The campaign also deployed additional artifacts such as Cobalt Strike beacons and Metasploit payloads, indicating a hybrid approach that combines bespoke malware with commercial penetration testing tools to maximize effectiveness and stealth. This evolution in Lotus Blossom’s tactics highlights their increasing sophistication in evading detection by mixing custom-developed and off-the-shelf tools, leveraging advanced obfuscation techniques, and targeting software supply chains. Although no active exploits have been reported in the wild, the compromise of a popular software infrastructure like Notepad++ underscores the potential for widespread impact. The campaign’s complexity and use of multiple toolsets suggest a well-resourced and highly skilled adversary focused on long-term espionage and data exfiltration.
Potential Impact
For European organizations, the Chrysalis backdoor campaign presents significant risks, particularly for entities relying on Notepad++ or related software infrastructure. The backdoor’s capabilities for information gathering and remote command execution could lead to unauthorized access to sensitive data, intellectual property theft, and disruption of operations. Given the integration of Cobalt Strike and Metasploit payloads, attackers could escalate privileges, move laterally within networks, and establish persistent footholds, complicating incident response efforts. The stealthy obfuscation techniques increase the likelihood of prolonged undetected presence, amplifying potential damage. Critical sectors such as government, technology, telecommunications, and manufacturing in Europe could be targeted due to their strategic importance and potential geopolitical interest from Chinese APT groups. Supply chain compromise of widely used software like Notepad++ could also indirectly affect numerous organizations, increasing the attack surface. The medium severity rating reflects the balance between the sophistication and stealth of the threat and the current lack of widespread exploitation, but the potential impact on confidentiality, integrity, and availability remains substantial.
Mitigation Recommendations
European organizations should implement a multi-layered defense strategy tailored to this threat. First, conduct thorough supply chain security assessments focusing on software dependencies like Notepad++, ensuring software integrity through cryptographic verification and trusted update channels. Deploy advanced endpoint detection and response (EDR) solutions capable of identifying obfuscated loaders and unusual process behaviors associated with Microsoft Warbird and Cobalt Strike. Enhance network monitoring to detect anomalous command and control traffic, especially patterns consistent with Cobalt Strike beacons and Metasploit activity. Regularly update and patch all software components, even if no direct patches exist for Chrysalis, to reduce exposure to related vulnerabilities. Conduct threat hunting exercises using indicators of compromise (IOCs) and behavioral analytics targeting the specific tactics described, such as file operations and remote command execution. Train security teams to recognize signs of sophisticated APT activity and obfuscation techniques. Implement strict access controls and network segmentation to limit lateral movement in case of compromise. Finally, collaborate with national cybersecurity centers and share threat intelligence to stay informed about evolving tactics from Lotus Blossom and similar groups.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Sweden, Poland, Belgium
Indicators of Compromise
- hash: 28cb7b261f4eb97e8a4b3b0d32f8def1
- hash: 2dc895d5611a149bfcc0d17c4f02d863
- hash: 32f3c40b0ed1c5cf23430be7f9eb7b06
- hash: 6aed7e49bd6c10c4eaee34f8c0eaa055
- hash: 21a942273c14e4b9d3faa58e4de1fd4d5014a1ed
- hash: 73d9d0139eaf89b7df34ceeb60e5f8c7cd2463bf
- hash: 9fbf2195dee991b1e5a727fd51391dcc2d7a4b16
- hash: f7910d943a013eede24ac89d6388c1b98f8b3717
- hash: 078a9e5c6c787e5532a7e728720cbafee9021bfec4a30e3c2be110748d7c43c5
- hash: 0a9b8df968df41920b6ff07785cbfebe8bda29e6b512c94a3b2a83d10014d2fd
- hash: 2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924
- hash: 3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad
- hash: 4a52570eeaf9d27722377865df312e295a7a23c3b6eb991944c2ecd707cc9906
- hash: 4c2ea8193f4a5db63b897a2d3ce127cc5d89687f380b97a1d91e0c8db542e4f8
- hash: 77bfea78def679aa1117f569a35e8fd1542df21f7e00e27f192c907e61d63a2e
- hash: 7add554a98d3a99b319f2127688356c1283ed073a084805f14e33b4f6a6126fd
- hash: 831e1ea13a1bd405f5bda2b9d8f2265f7b1db6c668dd2165ccc8a9c4c15ea7dd
- hash: 8ea8b83645fba6e23d48075a0d3fc73ad2ba515b4536710cda4f1f232718f53e
- hash: 9276594e73cda1c69b7d265b3f08dc8fa84bf2d6599086b9acc0bb3745146600
- hash: a511be5164dc1122fb5a7daa3eef9467e43d8458425b15a640235796006590c9
- hash: b4169a831292e245ebdffedd5820584d73b129411546e7d3eccf4663d5fc5be3
- hash: e7cd605568c38bd6e0aba31045e1633205d0598c607a855e2e1bca4cca1c6eda
- hash: f4d829739f2d6ba7e3ede83dad428a0ced1a703ec582fc73a4eee3df3704629a
- hash: fcc2765305bcd213b7558025b2039df2265c3e0b6401e4833123c461df2de51a
- ip: 124.222.137.114
- ip: 59.110.7.32
- ip: 61.4.102.97
- url: http://124.222.137.114:9999/3yZR31VK
- url: http://124.222.137.114:9999/api/Info/submit
- url: http://124.222.137.114:9999/api/updateStatus/v1
- url: http://134.0.0.0
- url: http://59.110.7.32:8880/api/Metadata/submit
- url: http://59.110.7.32:8880/api/getBasicInfo/v1
- url: http://59.110.7.32:8880/uffhxpSy
- url: http://95.179.213.0
- url: http://api.wiresguard.com/api/FileUpload/submit
- url: http://api.wiresguard.com/update/v1
- url: http://api.wiresguard.com/users/admin
- url: https://api.skycloudcenter.com/a/chat/s/70521ddf-a2ef-4adf-9cf0-6d8e24aaa821
- url: https://api.wiresguard.com/api/Info/submit
- url: https://api.wiresguard.com/api/getInfo/v1
- url: https://api.wiresguard.com/users/system
- domain: api.skycloudcenter.com
- domain: api.wiresguard.com
The Chrysalis Backdoor: A Deep Dive into Lotus Blossom's toolkit
Description
Rapid7 Labs has uncovered a sophisticated campaign attributed to the Chinese APT group Lotus Blossom, involving a new custom backdoor named Chrysalis. The attack compromised Notepad++ infrastructure to deliver the backdoor. Analysis revealed multiple custom loaders, including one using Microsoft Warbird for obfuscation. The Chrysalis backdoor has extensive capabilities for information gathering, file operations, and remote command execution. Additional artifacts found include Cobalt Strike beacons and Metasploit payloads. The campaign shows Lotus Blossom evolving its tactics, mixing custom and off-the-shelf tools with advanced obfuscation techniques to evade detection.
AI-Powered Analysis
Technical Analysis
The Chrysalis backdoor represents a new addition to the toolkit of the Chinese advanced persistent threat (APT) group Lotus Blossom, as uncovered by Rapid7 Labs. This campaign notably compromised the infrastructure of Notepad++, a widely used text editor, to deliver the backdoor payload. Chrysalis is characterized by multiple custom loaders, one of which uses Microsoft Warbird, a known obfuscation framework, to hinder detection and analysis. The backdoor itself supports a broad range of malicious activities, including detailed information gathering, file operations such as upload and download, and remote command execution, enabling attackers to maintain persistent and flexible control over compromised systems. The campaign also deployed additional artifacts such as Cobalt Strike beacons and Metasploit payloads, indicating a hybrid approach that combines bespoke malware with commercial penetration testing tools to maximize effectiveness and stealth. This evolution in Lotus Blossom’s tactics highlights their increasing sophistication in evading detection by mixing custom-developed and off-the-shelf tools, leveraging advanced obfuscation techniques, and targeting software supply chains. Although no active exploits have been reported in the wild, the compromise of a popular software infrastructure like Notepad++ underscores the potential for widespread impact. The campaign’s complexity and use of multiple toolsets suggest a well-resourced and highly skilled adversary focused on long-term espionage and data exfiltration.
Potential Impact
For European organizations, the Chrysalis backdoor campaign presents significant risks, particularly for entities relying on Notepad++ or related software infrastructure. The backdoor’s capabilities for information gathering and remote command execution could lead to unauthorized access to sensitive data, intellectual property theft, and disruption of operations. Given the integration of Cobalt Strike and Metasploit payloads, attackers could escalate privileges, move laterally within networks, and establish persistent footholds, complicating incident response efforts. The stealthy obfuscation techniques increase the likelihood of prolonged undetected presence, amplifying potential damage. Critical sectors such as government, technology, telecommunications, and manufacturing in Europe could be targeted due to their strategic importance and potential geopolitical interest from Chinese APT groups. Supply chain compromise of widely used software like Notepad++ could also indirectly affect numerous organizations, increasing the attack surface. The medium severity rating reflects the balance between the sophistication and stealth of the threat and the current lack of widespread exploitation, but the potential impact on confidentiality, integrity, and availability remains substantial.
Mitigation Recommendations
European organizations should implement a multi-layered defense strategy tailored to this threat. First, conduct thorough supply chain security assessments focusing on software dependencies like Notepad++, ensuring software integrity through cryptographic verification and trusted update channels. Deploy advanced endpoint detection and response (EDR) solutions capable of identifying obfuscated loaders and unusual process behaviors associated with Microsoft Warbird and Cobalt Strike. Enhance network monitoring to detect anomalous command and control traffic, especially patterns consistent with Cobalt Strike beacons and Metasploit activity. Regularly update and patch all software components, even if no direct patches exist for Chrysalis, to reduce exposure to related vulnerabilities. Conduct threat hunting exercises using indicators of compromise (IOCs) and behavioral analytics targeting the specific tactics described, such as file operations and remote command execution. Train security teams to recognize signs of sophisticated APT activity and obfuscation techniques. Implement strict access controls and network segmentation to limit lateral movement in case of compromise. Finally, collaborate with national cybersecurity centers and share threat intelligence to stay informed about evolving tactics from Lotus Blossom and similar groups.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/"]
- Adversary
- Lotus Blossom
- Pulse Id
- 6981aff0acbb318f992ed03e
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash28cb7b261f4eb97e8a4b3b0d32f8def1 | — | |
hash2dc895d5611a149bfcc0d17c4f02d863 | — | |
hash32f3c40b0ed1c5cf23430be7f9eb7b06 | — | |
hash6aed7e49bd6c10c4eaee34f8c0eaa055 | — | |
hash21a942273c14e4b9d3faa58e4de1fd4d5014a1ed | — | |
hash73d9d0139eaf89b7df34ceeb60e5f8c7cd2463bf | — | |
hash9fbf2195dee991b1e5a727fd51391dcc2d7a4b16 | — | |
hashf7910d943a013eede24ac89d6388c1b98f8b3717 | — | |
hash078a9e5c6c787e5532a7e728720cbafee9021bfec4a30e3c2be110748d7c43c5 | — | |
hash0a9b8df968df41920b6ff07785cbfebe8bda29e6b512c94a3b2a83d10014d2fd | — | |
hash2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924 | — | |
hash3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad | — | |
hash4a52570eeaf9d27722377865df312e295a7a23c3b6eb991944c2ecd707cc9906 | — | |
hash4c2ea8193f4a5db63b897a2d3ce127cc5d89687f380b97a1d91e0c8db542e4f8 | — | |
hash77bfea78def679aa1117f569a35e8fd1542df21f7e00e27f192c907e61d63a2e | — | |
hash7add554a98d3a99b319f2127688356c1283ed073a084805f14e33b4f6a6126fd | — | |
hash831e1ea13a1bd405f5bda2b9d8f2265f7b1db6c668dd2165ccc8a9c4c15ea7dd | — | |
hash8ea8b83645fba6e23d48075a0d3fc73ad2ba515b4536710cda4f1f232718f53e | — | |
hash9276594e73cda1c69b7d265b3f08dc8fa84bf2d6599086b9acc0bb3745146600 | — | |
hasha511be5164dc1122fb5a7daa3eef9467e43d8458425b15a640235796006590c9 | — | |
hashb4169a831292e245ebdffedd5820584d73b129411546e7d3eccf4663d5fc5be3 | — | |
hashe7cd605568c38bd6e0aba31045e1633205d0598c607a855e2e1bca4cca1c6eda | — | |
hashf4d829739f2d6ba7e3ede83dad428a0ced1a703ec582fc73a4eee3df3704629a | — | |
hashfcc2765305bcd213b7558025b2039df2265c3e0b6401e4833123c461df2de51a | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip124.222.137.114 | — | |
ip59.110.7.32 | — | |
ip61.4.102.97 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://124.222.137.114:9999/3yZR31VK | — | |
urlhttp://124.222.137.114:9999/api/Info/submit | — | |
urlhttp://124.222.137.114:9999/api/updateStatus/v1 | — | |
urlhttp://134.0.0.0 | — | |
urlhttp://59.110.7.32:8880/api/Metadata/submit | — | |
urlhttp://59.110.7.32:8880/api/getBasicInfo/v1 | — | |
urlhttp://59.110.7.32:8880/uffhxpSy | — | |
urlhttp://95.179.213.0 | — | |
urlhttp://api.wiresguard.com/api/FileUpload/submit | — | |
urlhttp://api.wiresguard.com/update/v1 | — | |
urlhttp://api.wiresguard.com/users/admin | — | |
urlhttps://api.skycloudcenter.com/a/chat/s/70521ddf-a2ef-4adf-9cf0-6d8e24aaa821 | — | |
urlhttps://api.wiresguard.com/api/Info/submit | — | |
urlhttps://api.wiresguard.com/api/getInfo/v1 | — | |
urlhttps://api.wiresguard.com/users/system | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainapi.skycloudcenter.com | — | |
domainapi.wiresguard.com | — |
Threat ID: 6981b210f9fa50a62fafd65c
Added to database: 2/3/2026, 8:30:08 AM
Last enriched: 2/3/2026, 8:44:30 AM
Last updated: 3/20/2026, 8:52:45 AM
Views: 1131
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.