Chrysalis

Threat actors routinely use this technique, known as brand impersonation or typosquatting, to serve malware, infostealers, or remote access trojans under the cover of a well-known application.

"The attackers intercepted and selectively redirected update requests from certain users to malicious servers"

"as well as working credentials for internal services"

the attack was not a vulnerability in the Notepad++ code itself, but a supply chain compromise of the project’s hosting infrastructure, which allowed attackers to selectively redirect update traffic to serve malicious files to specific targets.

state-sponsored Chinese hackers from the Lotus Blossom group compromised the official Notepad++ update infrastructure and delivered a malicious backdoor called Chrysalis to targeted users.

"traffic tied to WinGUp, which updated the software, 'was occasionally redirected to malicious servers, resulting in the download of compromised executables'"

Insikt Group created Sigma rules to detect update.exe's execution of reconnaissance commands (whoami, tasklist, systeminfo, and netstat -ano) and curl commands for system information exfiltration.

The primary payload is a previously undocumented, feature-rich backdoor dubbed “Chrysalis.” It supports 16 distinct commands, including interactive shell access

Description Lotus Blossom TinyCC shellcode execution simulation. Svchost.exe executed with TinyCC compiler flags (-nostdlib -run) to simulate Chrysalis backdoor's shellcode compilation technique.

...Notepad++ ... intercept or redirect update traffic to download and execute an attacker-controlled installer and lead to arbitrary code execution with the privileges of the user.

"...C:\\Users\\*\\AppData\\Roaming\\Bluetooth\\log.dll,Malicious sideloaded DLL" and "...Adobe\\Scripts\\alien.dll,Malicious DLL"

"as well as working credentials for internal services"

Lotus Blossom BluetoothService persistence test execution. Service created in user AppData directory for persistence.

"as well as working credentials for internal services"

Lotus Blossom BluetoothService persistence test execution. Service created in user AppData directory for persistence.

Attackers used a sophisticated loader that leverages Microsoft Warbird, an undocumented internal Windows code-protection framework. This allowed them to execute malicious shellcode while masquerading as a legitimate, Microsoft-signed binary, effectively bypassing many security solutions.

This allowed them to execute malicious shellcode while masquerading as a legitimate, Microsoft-signed binary

It supports 16 distinct commands, including interactive shell access, file manipulation, and self-uninstallation to hide its tracks.

"as well as working credentials for internal services"

"...Bluetooth\\Bluetooth,Encrypted shellcode blob (no extension)"

"Detects payload bytes in first 0x490 bytes in clipc.dll Warbird technique... scope = 'Microsoft signed DLL - clipc.dll'"

"...C:\\Users\\*\\AppData\\Roaming\\Bluetooth\\log.dll,Malicious sideloaded DLL" and "...Adobe\\Scripts\\alien.dll,Malicious DLL"

"Find Warbird clipc.dll shellcode loader strings" and YARA rules: "...Shellcode_Loader..." and "...Warbird... shellcode loader"

"Unit 42 noted that the campaign was focused on long-term valuable intelligence, leveraging the adversary-in-the-middle (AitM) capability to dynamically fingerprint incoming update requests and filter only priority targets."

"...ProShow\\1.txt,Recon output (whoami/tasklist)"

"...ProShow\\1.txt,Recon output (whoami/tasklist)"

The blog details a unique “heartbeat” mechanism where the malware exfiltrated system information (via tasklist and systeminfo ) by uploading it to the public file-sharing service temp[.]sh

It supports 16 distinct commands, including interactive shell access, file manipulation, and self-uninstallation to hide its tracks.

"Unit 42 noted that the campaign was focused on long-term valuable intelligence, leveraging the adversary-in-the-middle (AitM) capability to dynamically fingerprint incoming update requests and filter only priority targets."

C2 (Command and Control) traffic designed to mimic DeepSeek API endpoints to blend in with legitimate network traffic.

YARA rule includes domains/paths such as "api.skycloudcenter.com" and URIs like "/api/update/v1", "/api/FileUpload/submit", "/api/getInfo/v1"

The campaign rotated C2 servers across three attack chains to deliver a Metasploit loader, Cobalt Strike Beacon, and a custom backdoor called Chrysalis.

Insikt Group created Sigma rules to detect update.exe's execution of reconnaissance commands (whoami, tasklist, systeminfo, and netstat -ano) and curl commands for system information exfiltration.

the malware exfiltrated system information (via tasklist and systeminfo ) by uploading it to the public file-sharing service temp[.]sh , then passing the resulting URL to the attackers via the User-Agent header of a subsequent request.

"attackers... allowing them to maliciously redirect traffic until Dec. 2, 2025"