The Chrysalis Backdoor: A Deep Dive into Lotus Blossom's toolkit
The Chrysalis backdoor is a sophisticated malware linked to the Chinese APT group Lotus Blossom, discovered in a campaign targeting Notepad++ infrastructure. It employs advanced obfuscation techniques, including Microsoft Warbird, and integrates both custom loaders and off-the-shelf tools like Cobalt Strike and Metasploit payloads. Chrysalis enables extensive capabilities such as information gathering, file manipulation, and remote command execution. The campaign reflects an evolution in Lotus Blossom's tactics, blending custom and commercial tools to evade detection. Although no known exploits are currently active in the wild, the threat poses a medium severity risk due to its stealth and potential impact. European organizations using Notepad++ or related infrastructure could be targeted, especially those in critical sectors. Mitigation requires enhanced monitoring for unusual activity, strict supply chain security, and proactive threat hunting focused on obfuscation patterns. Countries with high technology adoption and geopolitical relevance to China are more likely to be affected.
AI Analysis
Technical Summary
The Chrysalis backdoor represents a new addition to the toolkit of the Chinese advanced persistent threat (APT) group Lotus Blossom, as uncovered by Rapid7 Labs. This campaign notably compromised the infrastructure of Notepad++, a widely used text editor, to deliver the backdoor payload. Chrysalis is characterized by multiple custom loaders, one of which uses Microsoft Warbird, a known obfuscation framework, to hinder detection and analysis. The backdoor itself supports a broad range of malicious activities, including detailed information gathering, file operations such as upload and download, and remote command execution, enabling attackers to maintain persistent and flexible control over compromised systems. The campaign also deployed additional artifacts such as Cobalt Strike beacons and Metasploit payloads, indicating a hybrid approach that combines bespoke malware with commercial penetration testing tools to maximize effectiveness and stealth. This evolution in Lotus Blossom’s tactics highlights their increasing sophistication in evading detection by mixing custom-developed and off-the-shelf tools, leveraging advanced obfuscation techniques, and targeting software supply chains. Although no active exploits have been reported in the wild, the compromise of a popular software infrastructure like Notepad++ underscores the potential for widespread impact. The campaign’s complexity and use of multiple toolsets suggest a well-resourced and highly skilled adversary focused on long-term espionage and data exfiltration.
Potential Impact
For European organizations, the Chrysalis backdoor campaign presents significant risks, particularly for entities relying on Notepad++ or related software infrastructure. The backdoor’s capabilities for information gathering and remote command execution could lead to unauthorized access to sensitive data, intellectual property theft, and disruption of operations. Given the integration of Cobalt Strike and Metasploit payloads, attackers could escalate privileges, move laterally within networks, and establish persistent footholds, complicating incident response efforts. The stealthy obfuscation techniques increase the likelihood of prolonged undetected presence, amplifying potential damage. Critical sectors such as government, technology, telecommunications, and manufacturing in Europe could be targeted due to their strategic importance and potential geopolitical interest from Chinese APT groups. Supply chain compromise of widely used software like Notepad++ could also indirectly affect numerous organizations, increasing the attack surface. The medium severity rating reflects the balance between the sophistication and stealth of the threat and the current lack of widespread exploitation, but the potential impact on confidentiality, integrity, and availability remains substantial.
Mitigation Recommendations
European organizations should implement a multi-layered defense strategy tailored to this threat. First, conduct thorough supply chain security assessments focusing on software dependencies like Notepad++, ensuring software integrity through cryptographic verification and trusted update channels. Deploy advanced endpoint detection and response (EDR) solutions capable of identifying obfuscated loaders and unusual process behaviors associated with Microsoft Warbird and Cobalt Strike. Enhance network monitoring to detect anomalous command and control traffic, especially patterns consistent with Cobalt Strike beacons and Metasploit activity. Regularly update and patch all software components, even if no direct patches exist for Chrysalis, to reduce exposure to related vulnerabilities. Conduct threat hunting exercises using indicators of compromise (IOCs) and behavioral analytics targeting the specific tactics described, such as file operations and remote command execution. Train security teams to recognize signs of sophisticated APT activity and obfuscation techniques. Implement strict access controls and network segmentation to limit lateral movement in case of compromise. Finally, collaborate with national cybersecurity centers and share threat intelligence to stay informed about evolving tactics from Lotus Blossom and similar groups.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Sweden, Poland, Belgium
Indicators of Compromise
- hash: 28cb7b261f4eb97e8a4b3b0d32f8def1
- hash: 2dc895d5611a149bfcc0d17c4f02d863
- hash: 32f3c40b0ed1c5cf23430be7f9eb7b06
- hash: 6aed7e49bd6c10c4eaee34f8c0eaa055
- hash: 21a942273c14e4b9d3faa58e4de1fd4d5014a1ed
- hash: 73d9d0139eaf89b7df34ceeb60e5f8c7cd2463bf
- hash: 9fbf2195dee991b1e5a727fd51391dcc2d7a4b16
- hash: f7910d943a013eede24ac89d6388c1b98f8b3717
- hash: 078a9e5c6c787e5532a7e728720cbafee9021bfec4a30e3c2be110748d7c43c5
- hash: 0a9b8df968df41920b6ff07785cbfebe8bda29e6b512c94a3b2a83d10014d2fd
- hash: 2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924
- hash: 3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad
- hash: 4a52570eeaf9d27722377865df312e295a7a23c3b6eb991944c2ecd707cc9906
- hash: 4c2ea8193f4a5db63b897a2d3ce127cc5d89687f380b97a1d91e0c8db542e4f8
- hash: 77bfea78def679aa1117f569a35e8fd1542df21f7e00e27f192c907e61d63a2e
- hash: 7add554a98d3a99b319f2127688356c1283ed073a084805f14e33b4f6a6126fd
- hash: 831e1ea13a1bd405f5bda2b9d8f2265f7b1db6c668dd2165ccc8a9c4c15ea7dd
- hash: 8ea8b83645fba6e23d48075a0d3fc73ad2ba515b4536710cda4f1f232718f53e
- hash: 9276594e73cda1c69b7d265b3f08dc8fa84bf2d6599086b9acc0bb3745146600
- hash: a511be5164dc1122fb5a7daa3eef9467e43d8458425b15a640235796006590c9
- hash: b4169a831292e245ebdffedd5820584d73b129411546e7d3eccf4663d5fc5be3
- hash: e7cd605568c38bd6e0aba31045e1633205d0598c607a855e2e1bca4cca1c6eda
- hash: f4d829739f2d6ba7e3ede83dad428a0ced1a703ec582fc73a4eee3df3704629a
- hash: fcc2765305bcd213b7558025b2039df2265c3e0b6401e4833123c461df2de51a
- ip: 124.222.137.114
- ip: 59.110.7.32
- ip: 61.4.102.97
- url: http://124.222.137.114:9999/3yZR31VK
- url: http://124.222.137.114:9999/api/Info/submit
- url: http://124.222.137.114:9999/api/updateStatus/v1
- url: http://134.0.0.0
- url: http://59.110.7.32:8880/api/Metadata/submit
- url: http://59.110.7.32:8880/api/getBasicInfo/v1
- url: http://59.110.7.32:8880/uffhxpSy
- url: http://95.179.213.0
- url: http://api.wiresguard.com/api/FileUpload/submit
- url: http://api.wiresguard.com/update/v1
- url: http://api.wiresguard.com/users/admin
- url: https://api.skycloudcenter.com/a/chat/s/70521ddf-a2ef-4adf-9cf0-6d8e24aaa821
- url: https://api.wiresguard.com/api/Info/submit
- url: https://api.wiresguard.com/api/getInfo/v1
- url: https://api.wiresguard.com/users/system
- domain: api.skycloudcenter.com
- domain: api.wiresguard.com
The Chrysalis Backdoor: A Deep Dive into Lotus Blossom's toolkit
Description
The Chrysalis backdoor is a sophisticated malware linked to the Chinese APT group Lotus Blossom, discovered in a campaign targeting Notepad++ infrastructure. It employs advanced obfuscation techniques, including Microsoft Warbird, and integrates both custom loaders and off-the-shelf tools like Cobalt Strike and Metasploit payloads. Chrysalis enables extensive capabilities such as information gathering, file manipulation, and remote command execution. The campaign reflects an evolution in Lotus Blossom's tactics, blending custom and commercial tools to evade detection. Although no known exploits are currently active in the wild, the threat poses a medium severity risk due to its stealth and potential impact. European organizations using Notepad++ or related infrastructure could be targeted, especially those in critical sectors. Mitigation requires enhanced monitoring for unusual activity, strict supply chain security, and proactive threat hunting focused on obfuscation patterns. Countries with high technology adoption and geopolitical relevance to China are more likely to be affected.
AI-Powered Analysis
Technical Analysis
The Chrysalis backdoor represents a new addition to the toolkit of the Chinese advanced persistent threat (APT) group Lotus Blossom, as uncovered by Rapid7 Labs. This campaign notably compromised the infrastructure of Notepad++, a widely used text editor, to deliver the backdoor payload. Chrysalis is characterized by multiple custom loaders, one of which uses Microsoft Warbird, a known obfuscation framework, to hinder detection and analysis. The backdoor itself supports a broad range of malicious activities, including detailed information gathering, file operations such as upload and download, and remote command execution, enabling attackers to maintain persistent and flexible control over compromised systems. The campaign also deployed additional artifacts such as Cobalt Strike beacons and Metasploit payloads, indicating a hybrid approach that combines bespoke malware with commercial penetration testing tools to maximize effectiveness and stealth. This evolution in Lotus Blossom’s tactics highlights their increasing sophistication in evading detection by mixing custom-developed and off-the-shelf tools, leveraging advanced obfuscation techniques, and targeting software supply chains. Although no active exploits have been reported in the wild, the compromise of a popular software infrastructure like Notepad++ underscores the potential for widespread impact. The campaign’s complexity and use of multiple toolsets suggest a well-resourced and highly skilled adversary focused on long-term espionage and data exfiltration.
Potential Impact
For European organizations, the Chrysalis backdoor campaign presents significant risks, particularly for entities relying on Notepad++ or related software infrastructure. The backdoor’s capabilities for information gathering and remote command execution could lead to unauthorized access to sensitive data, intellectual property theft, and disruption of operations. Given the integration of Cobalt Strike and Metasploit payloads, attackers could escalate privileges, move laterally within networks, and establish persistent footholds, complicating incident response efforts. The stealthy obfuscation techniques increase the likelihood of prolonged undetected presence, amplifying potential damage. Critical sectors such as government, technology, telecommunications, and manufacturing in Europe could be targeted due to their strategic importance and potential geopolitical interest from Chinese APT groups. Supply chain compromise of widely used software like Notepad++ could also indirectly affect numerous organizations, increasing the attack surface. The medium severity rating reflects the balance between the sophistication and stealth of the threat and the current lack of widespread exploitation, but the potential impact on confidentiality, integrity, and availability remains substantial.
Mitigation Recommendations
European organizations should implement a multi-layered defense strategy tailored to this threat. First, conduct thorough supply chain security assessments focusing on software dependencies like Notepad++, ensuring software integrity through cryptographic verification and trusted update channels. Deploy advanced endpoint detection and response (EDR) solutions capable of identifying obfuscated loaders and unusual process behaviors associated with Microsoft Warbird and Cobalt Strike. Enhance network monitoring to detect anomalous command and control traffic, especially patterns consistent with Cobalt Strike beacons and Metasploit activity. Regularly update and patch all software components, even if no direct patches exist for Chrysalis, to reduce exposure to related vulnerabilities. Conduct threat hunting exercises using indicators of compromise (IOCs) and behavioral analytics targeting the specific tactics described, such as file operations and remote command execution. Train security teams to recognize signs of sophisticated APT activity and obfuscation techniques. Implement strict access controls and network segmentation to limit lateral movement in case of compromise. Finally, collaborate with national cybersecurity centers and share threat intelligence to stay informed about evolving tactics from Lotus Blossom and similar groups.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/"]
- Adversary
- Lotus Blossom
- Pulse Id
- 6981aff0acbb318f992ed03e
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash28cb7b261f4eb97e8a4b3b0d32f8def1 | — | |
hash2dc895d5611a149bfcc0d17c4f02d863 | — | |
hash32f3c40b0ed1c5cf23430be7f9eb7b06 | — | |
hash6aed7e49bd6c10c4eaee34f8c0eaa055 | — | |
hash21a942273c14e4b9d3faa58e4de1fd4d5014a1ed | — | |
hash73d9d0139eaf89b7df34ceeb60e5f8c7cd2463bf | — | |
hash9fbf2195dee991b1e5a727fd51391dcc2d7a4b16 | — | |
hashf7910d943a013eede24ac89d6388c1b98f8b3717 | — | |
hash078a9e5c6c787e5532a7e728720cbafee9021bfec4a30e3c2be110748d7c43c5 | — | |
hash0a9b8df968df41920b6ff07785cbfebe8bda29e6b512c94a3b2a83d10014d2fd | — | |
hash2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924 | — | |
hash3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad | — | |
hash4a52570eeaf9d27722377865df312e295a7a23c3b6eb991944c2ecd707cc9906 | — | |
hash4c2ea8193f4a5db63b897a2d3ce127cc5d89687f380b97a1d91e0c8db542e4f8 | — | |
hash77bfea78def679aa1117f569a35e8fd1542df21f7e00e27f192c907e61d63a2e | — | |
hash7add554a98d3a99b319f2127688356c1283ed073a084805f14e33b4f6a6126fd | — | |
hash831e1ea13a1bd405f5bda2b9d8f2265f7b1db6c668dd2165ccc8a9c4c15ea7dd | — | |
hash8ea8b83645fba6e23d48075a0d3fc73ad2ba515b4536710cda4f1f232718f53e | — | |
hash9276594e73cda1c69b7d265b3f08dc8fa84bf2d6599086b9acc0bb3745146600 | — | |
hasha511be5164dc1122fb5a7daa3eef9467e43d8458425b15a640235796006590c9 | — | |
hashb4169a831292e245ebdffedd5820584d73b129411546e7d3eccf4663d5fc5be3 | — | |
hashe7cd605568c38bd6e0aba31045e1633205d0598c607a855e2e1bca4cca1c6eda | — | |
hashf4d829739f2d6ba7e3ede83dad428a0ced1a703ec582fc73a4eee3df3704629a | — | |
hashfcc2765305bcd213b7558025b2039df2265c3e0b6401e4833123c461df2de51a | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip124.222.137.114 | — | |
ip59.110.7.32 | — | |
ip61.4.102.97 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://124.222.137.114:9999/3yZR31VK | — | |
urlhttp://124.222.137.114:9999/api/Info/submit | — | |
urlhttp://124.222.137.114:9999/api/updateStatus/v1 | — | |
urlhttp://134.0.0.0 | — | |
urlhttp://59.110.7.32:8880/api/Metadata/submit | — | |
urlhttp://59.110.7.32:8880/api/getBasicInfo/v1 | — | |
urlhttp://59.110.7.32:8880/uffhxpSy | — | |
urlhttp://95.179.213.0 | — | |
urlhttp://api.wiresguard.com/api/FileUpload/submit | — | |
urlhttp://api.wiresguard.com/update/v1 | — | |
urlhttp://api.wiresguard.com/users/admin | — | |
urlhttps://api.skycloudcenter.com/a/chat/s/70521ddf-a2ef-4adf-9cf0-6d8e24aaa821 | — | |
urlhttps://api.wiresguard.com/api/Info/submit | — | |
urlhttps://api.wiresguard.com/api/getInfo/v1 | — | |
urlhttps://api.wiresguard.com/users/system | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainapi.skycloudcenter.com | — | |
domainapi.wiresguard.com | — |
Threat ID: 6981b210f9fa50a62fafd65c
Added to database: 2/3/2026, 8:30:08 AM
Last enriched: 2/3/2026, 8:44:30 AM
Last updated: 2/3/2026, 10:18:49 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
ThreatFox IOCs for 2026-02-02
MediumHow does cyberthreat attribution help in practice?
MediumOpen VSX Publisher Account Hijacked in Fresh GlassWorm Attack
Medium2nd February – Threat Intelligence Report
MediumCyber Insights 2026: Malware and Cyberattacks in the Age of AI
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.