By closely examining an active intrusion recently uncovered by Rapid7 researchers have exposed a highly advanced malware campaign tied to the Chinese state-linked threat actor known as Lotus Blossom. This campaign, which spans multiple years, has leveraged a previously undocumented backdoor dubbed “Chrysalis”—delivered via a compromised software distribution channel.
Background: Actor Profile and Incident Summary
Lotus Blossom is a long-active advanced persistent threat (APT) group with activity dating back to at least 2009, known for targeted espionage campaigns against government, telecom, aviation, critical infrastructure, and media sectors, particularly across Southeast Asia and Central America.
During forensic investigation, analysts determined the intrusion stemmed from a supply-chain compromise of the infrastructure used to distribute Notepad++, a widely used text editor. Executables (“notepad++.exe” followed by “GUP.exe”) launched a suspicious installer (“update.exe”), retrieved from 95[.]179.213[.]0, triggering the malicious payload chain leading to Chrysalis.
Initial Access and Installer Details
The suspected initial access vector mirrors disclosures around unauthorized manipulation of Notepad++ distribution systems. While available reporting mentions both plugin replacement and updater abuse, the only confirmed sequence was the execution chain leading to an NSIS installer (update.exe).
Upon extraction, the NSIS package contained:
| Component | Purpose | SHA-256 |
|---|---|---|
NSIS.nsi | Installer script | 8ea8b83645fba6e23d48075a0d3fc73ad2ba515b4536710cda4f1f232718f53e |
BluetoothService.exe | Renamed Bitdefender Submission Wizard (DLL sideload host) | 2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924 |
BluetoothService | Encrypted shellcode | 77bfea78def679aa1117f569a35e8fd1542df21f7e00e27f192c907e61d63a2e |
log.dll | Malicious sideloaded DLL | 3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ee547866f65e26b7ad |
These files are dropped into the %AppData%\Bluetooth directory and launched via sideloading, allowing execution of hidden shellcode.
Loader Mechanics: Shellcode, DLL Sideloading, and IAT Resolution
DLL Sideloading
The renamed Bitdefender Submission Wizard binary is coaxed into loading the malicious log.dll instead of its legitimate library. Two exported functions—LogInit and LogWrite—drive the shellcode execution flow:
- LogInit loads the “BluetoothService” executable into the process memory.
- LogWrite executes a custom decryption routine built on a linear congruential generator and proprietary stream cipher logic to unpack the encrypted shellcode in memory.
To evade detection, the loader uses API hashing (FNV-1a + MurmurHash-style finalizer) to dynamically resolve needed Windows API functions, thwarting traditional antivirus heuristics.
Chrysalis Backdoor Architecture
Once unpacked, Chrysalis presents as a full-featured backdoor designed for stealth and persistence:
Module Decryption
Chrysalis decrypts its main module using repeated XOR, addition, and subtraction passes with a static key ("gQ2JR&9;"). This routine hints at a reflection-style loading approach, reconstructing a PE-like structure directly in memory.
Dynamic Import Resolution
Similar to the loader, the main module performs dynamic API hashing. It walks the PEB InMemoryOrderModuleList to locate modules and resolve export functions, increasing resistance to signature-based unpacking or static analysis.
Configuration and Command-and-Control
The backdoor’s configuration data is hidden within the “BluetoothService” binary. Decrypted via RC4 with key "qwhvb^435h&*7", it reveals:
- A Command-and-Control (C2) endpoint at:
https://api.skycloudcenter[.]com/a/chat/s/70521ddf-aa2ef-4adf-9cf0-6d8e24aaa821 - A fabricated HTTP user-agent mimicking Chrome.
The associated DNS resolves to 61.4.102[.]97 (Malaysia), though no active secondary communications were confirmed during analysis.
Persistence and Execution Logic
Chrysalis interprets command-line arguments to determine operational mode:
| Argument | Mode | Behavior |
|---|---|---|
| None | Installation | Establishes persistence via service or registry |
-i | Launcher | Spawns new instance |
-k | Payload | Bypasses installation checks to run main logic |
The backdoor then establishes a mutex (Global\Jdhfv_1.0.1) to ensure single execution. It collects system metadata such as hostname, username, OS version, and AV presence—hashing this into a unique identifier for C2 traffic.
Behavioural Indicators and Network Patterns
Chrysalis communicates with its C2 over HTTPS (port 443), employing a Chrome-like user agent. After handshake, communication structures are encrypted with RC4 and parsed for embedded command tags.
Detected command cases include:
- Reverse shell spawns
- Remote process execution
- File transfer (upload/download)
- File system enumeration
- Logical drive and directory info
- Self-removal routines
- Interactive shell bridging
Malware Attribution and Additional Loaders
Beyond Chrysalis itself, the investigation uncovered multiple loader variants delivering Cobalt Strike HTTPS beacons and shellcode via simplistic custom binaries. These artifacts share:
- Unique public key overlaps
- Distinct shellcode encryption schemes
- Shared C2 patterns
Collectively, these elements reinforce moderate confidence that the Lotus Blossom APT is behind this sophisticated campaign, combining long-standing TTPs with rapid adaptation of cutting-edge loader mechanics.
Conclusion: A Maturing Threat Ecosystem
The Chrysalis backdoor reflects a marked evolution in Lotus Blossom’s operational playbook. While the actor still relies on classic techniques like DLL sideloading and shellcode loaders, the fusion of advanced obfuscation, undocumented API use (e.g., Warbird loader techniques), and multi-layered persistence mechanisms show clear intent to evade modern detection and endure on compromised hosts.
Security teams should prioritize:
- Monitoring unusual update installers for trusted tools
- Hunting for API hashing patterns in executables
- Detecting non-standard network communications to obfuscated C2 endpoints
