Notepad++ Hack Detailed Along With the IoCs and Custom Malware Used

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

A sophisticated espionage campaign attributed to the Chinese Advanced Persistent Threat (APT) group Lotus Blossom (also known as Billbug).

The threat actors compromised the infrastructure hosting the popular text editor Notepad++ to deliver a custom, previously undocumented backdoor named “Chrysalis”.

This campaign, discovered by Rapid7 researcher Ivan Feigl, primarily targets organizations in the government, telecommunications, aviation, and critical infrastructure sectors across Southeast Asia and Central America.

The investigation began with a security incident stemming from the execution of a malicious file named update[.]exe, which was downloaded from a suspicious IP address (95.179.213[.]0) following the legitimate execution of notepad++[.]exe and GUP[.]exe (the generic updater for Notepad++)

Forensic analysis revealed that update[.]exe is an NSIS installer, a tool frequently abused by Chinese APTs for initial payload delivery.

Attack Chain (Source: Rapid7)

Upon execution, the installer creates a hidden directory in the %AppData% folder named “Bluetooth” and drops several files, including BluetoothService.exe and log.dll.

The executable BluetoothService.exe is actually a renamed, legitimate Bitdefender Submission Wizard binary. The attackers utilize this legitimate file to perform DLL sideloading, forcing it to load the malicious log.dll instead of the genuine library.

The Chrysalis Backdoor

Once loaded, log.dll decrypts and executes a shellcode payload the Chrysalis backdoor. This malware is a sophisticated, feature-rich implant designed for long-term persistence rather than simple “smash-and-grab” operations, Rapid7 observed.

Chrysalis employs several advanced evasion techniques:

  • Custom Encryption: It uses a linear congruential generator for decryption rather than standard cryptographic APIs, making it harder for automated tools to flag.
  • API Hashing: The malware resolves necessary Windows APIs using a custom hashing algorithm (FNV-1a combined with a MurmurHash-style finalizer) to evade static analysis and antivirus detection.
  • C2 Communication: The backdoor communicates with its Command and Control (C2) server (api.skycloudcenter.com) over HTTPS. Notably, the C2 URL structure mimics the Deepseek API endpoints (e.g., /a/chat/s/{GUID}), likely an attempt to blend in with legitimate AI-related network traffic.

Chrysalis is highly versatile, supporting 16 different commands controlled by a switch statement in the code. Key capabilities include:

  • Interactive Shell: Spawning a fully interactive reverse shell via cmd.exe (Switch 4T).
  • File Operations: Reading, writing, and deleting files, as well as enumerating directory contents (Switches 4W, 4X, 4Y).
  • Process Execution: Launching remote processes (Switch 4V).
  • Self-Removal: A “cleanup” mode that removes persistence artifacts and deletes the malware from the disk (Switch 4).

Advanced Loading with Microsoft Warbird

Beyond Chrysalis, researchers discovered a loader variant (ConsoleApplication2.exe) that leverages Microsoft Warbird, a complex code protection framework, to hide its execution flow.

This loader abuses the NtQuerySystemInformation system call with the undocumented SystemCodeFlowTransition (0xB9) class.

By copying encrypted data into the memory of a Microsoft-signed binary (clipc.dll) and invoking this specific system call, the loader triggers the Warbird mechanism to decrypt and execute the shellcode in the kernel context.

This technique effectively bypasses user-mode hooks and standard EDR monitoring, marking a significant evolution in Billbug’s tradecraft.

The campaign is attributed to Lotus Blossom with moderate confidence, based on the specific use of the Bitdefender sideloading technique and shared cryptographic keys found in the Cobalt Strike beacons deployed alongside Chrysalis.

Indicators of Compromise (IoCs)

Here are the Indicators of Compromise (IoCs) and MITRE ATT&CK TTPs associated with the Lotus Blossom campaign and the Chrysalis backdoor.

File Indicators

File Name SHA-256 Hash Description
update.exe a511be5164dc1122fb5a7daa3eef9467e43d8458425b15a640235796006590c9 Malicious NSIS Installer used for initial payload delivery
[NSIS.nsi] 8ea8b83645fba6e23d48075a0d3fc73ad2ba515b4536710cda4f1f232718f53e Extracted NSIS installation script
BluetoothService.exe 2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924 Renamed Bitdefender Submission Wizard (legitimate binary abused for sideloading)
BluetoothService 77bfea78def679aa1117f569a35e8fd1542df21f7e00e27f192c907e61d63a2e Encrypted shellcode file
log.dll 3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad Malicious DLL sideloaded by BluetoothService.exe
u.bat 9276594e73cda1c69b7d265b3f08dc8fa84bf2d6599086b9acc0bb3745146600 Temporary batch file used for self-deletion/cleanup
conf.c f4d829739f2d6ba7e3ede83dad428a0ced1a703ec582fc73a4eee3df3704629a C source file containing shellcode bytes (Metasploit block API)
libtcc.dll 4a52570eeaf9d27722377865df312e295a7a23c3b6eb991944c2ecd707cc9906 Library for Tiny C Compiler, used to compile/run conf.c
admin 831e1ea13a1bd405f5bda2b9d8f2265f7b1db6c668dd2165ccc8a9c4c15ea7dd File retrieved from api.wiresguard.com, related to second-stage shellcode
loader1 0a9b8df968df41920b6ff07785cbfebe8bda29e6b512c94a3b2a83d10014d2fd Variant loader sample found in public repositories
uffhxpSy 4c2ea8193f4a5db63b897a2d3ce127cc5d89687f380b97a1d91e0c8db542e4f8 Shellcode associated with Loader 1
loader2 e7cd605568c38bd6e0aba31045e1633205d0598c607a855e2e1bca4cca1c6eda Variant loader sample found in public repositories
3yzr31vk 078a9e5c6c787e5532a7e728720cbafee9021bfec4a30e3c2be110748d7c43c5 Shellcode associated with Loader 2
ConsoleApplication2.exe b4169a831292e245ebdffedd5820584d73b129411546e7d3eccf4663d5fc5be3 Loader 3; uses Microsoft Warbird for shellcode execution
system 7add554a98d3a99b319f2127688356c1283ed073a084805f14e33b4f6a6126fd Shellcode associated with ConsoleApplication2.exe
s047t5g.exe fcc2765305bcd213b7558025b2039df2265c3e0b6401e4833123c461df2de51a Loader 4; variant sample sharing shellcode with Loader 3

Network Indicators

Indicator Type Context
95.179.213.0 IP Address Host for update.exe download
api.skycloudcenter.com Domain Chrysalis Backdoor C2
api.wiresguard.com Domain Cobalt Strike Beacon C2
61.4.102.97 IP Address Resolution for api.skycloudcenter.com (Malaysia)
59.110.7.32 IP Address C2 IP associated with Loader 1
124.222.137.114 IP Address C2 IP associated with Loader 2

MITRE ATT&CK TTPs

ATT&CK ID Name
T1204.002 User Execution: Malicious File
T1036 Masquerading
T1027 Obfuscated Files or Information
T1027.007 Obfuscated Files or Information: Dynamic API Resolution
T1140 Deobfuscate/Decode Files or Information
T1574.002 DLL Side-Loading
T1106 Native API
T1055 Process Injection
T1620 Reflective Code Loading
T1059.003 Command and Scripting Interpreter: Windows Command Shell
T1083 File and Directory Discovery
T1005 Data from Local System
T1105 Ingress Tool Transfer
T1041 Exfiltration Over C2 Channel
T1071.001 Application Layer Protocol: Web Protocols (HTTP/HTTPS)
T1573 Encrypted Channel
T1547.001 Boot or Logon Autostart Execution: Registry Run Keys
T1543.003 Create or Modify System Process: Windows Service
T1480.002 Execution Guardrails: Mutual Exclusion
T1070.004 Indicator Removal on Host: File Deletion

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.