Listen to this Post
Introduction: When Trusted Software Becomes a Weapon
Supply chain attacks remain one of the most dangerous threat vectors in modern cybersecurity, precisely because they exploit trust. In a newly uncovered campaign, researchers revealed that Notepad++, one of the world’s most widely used text editors, was leveraged as an entry point for a sophisticated espionage operation. The attack was attributed to Lotus Blossom, a Chinese advanced persistent threat (APT) group active since at least 2009.
By compromising the application’s distribution mechanism, attackers delivered a previously undocumented backdoor named Chrysalis, demonstrating a high level of operational maturity, stealth, and long-term intelligence-gathering intent.
Summary of the Original Findings
The investigation uncovered a carefully engineered supply chain compromise targeting Notepad++ users through malicious update mechanisms. The initial execution activity originated from the IP address 95.179.213.0, where both notepad++.exe and the updater GUP.exe were used to trigger the download of a trojanized update.exe file. This malicious installer, built using NSIS, deployed a renamed Bitdefender Submission Wizard binary into a hidden %AppData%\Bluetooth directory.
Through DLL sideloading, the attacker-loaded executable invoked a malicious log.dll, which decrypted and launched the Chrysalis backdoor. Chrysalis relies on custom cryptographic routines that combine linear congruential generators with FNV-1a hashing and MurmurHash finalization, making static analysis and detection more difficult.
Once active, Chrysalis provided attackers with an extensive set of capabilities, including remote command execution, interactive reverse shells, full file manipulation, drive enumeration, file transfers, persistence creation, and self-removal. Encrypted configuration data revealed a command-and-control endpoint designed to imitate Deepseek-style API traffic, hosted at api.skycloudcenter.com, resolving to a Malaysian IP address (61.4.102.97). Communication used standard browser user agents to blend into legitimate network traffic.
Further analysis uncovered a secondary loader, ConsoleApplication2.exe, abusing Microsoft’s undocumented Warbird code protection framework. By invoking NtQuerySystemInformation with the SystemCodeFlowTransition parameter, the loader executed embedded Metasploit shellcode inside Microsoft-signed binary memory. This technique enabled the delivery of Cobalt Strike beacons from api.wiresguard.com, expanding attacker control.
Researchers also identified the use of a renamed Tiny C Compiler, which dynamically compiled malicious C source code from conf.c. The payload decrypted itself using rolling XOR routines before communicating with Cobalt Strike HTTPS endpoints. Attribution to Lotus Blossom was supported by overlaps in tooling, DLL sideloading techniques, and infrastructure reuse observed in previous campaigns.
What Undercode Say:
This campaign is a textbook example of how modern APT groups are refining supply chain attacks into precision espionage tools rather than blunt mass-compromise operations. The choice of Notepad++ is strategic: it is widely trusted, commonly installed by developers, system administrators, and security researchers, and often whitelisted in enterprise environments.
Chrysalis itself reflects a hybrid philosophy. On one hand, it is highly custom, using bespoke cryptographic routines, API hashing, and layered obfuscation. On the other, it seamlessly integrates commodity frameworks like Cobalt Strike, allowing attackers to rapidly scale post-exploitation without reinventing tooling. This blend reduces development costs while maintaining stealth and flexibility.
The abuse of Microsoft’s Warbird framework is particularly notable. Leveraging undocumented or rarely monitored Windows internals signals deep platform knowledge and suggests attackers actively track public security research and reverse-engineering disclosures. By executing shellcode within Microsoft-signed binaries, the attackers effectively hide in plain sight, bypassing trust-based security controls.
Equally concerning is the deliberate traffic masquerading strategy. By shaping C2 communications to resemble legitimate AI API traffic, the attackers anticipate modern network environments where AI-related endpoints are increasingly common and less scrutinized. This is a forward-looking evasion technique aligned with current enterprise trends.
From a defensive standpoint, this campaign underscores the limitations of signature-based detection. Hashes, filenames, and even known Cobalt Strike indicators are insufficient when attackers rotate loaders, reuse public frameworks, and continuously modify infrastructure. Behavioral monitoring, anomaly detection around update mechanisms, and scrutiny of unexpected hidden directories in %AppData% become far more critical.
Ultimately, the Chrysalis operation reflects Lotus Blossom’s evolution from traditional espionage tooling toward a modular, research-driven tradecraft model. It is not just an attack on a single application, but a warning about how deeply trusted software ecosystems can be subverted when update chains are compromised.
Fact Checker Results
✅ The described attack techniques align with documented APT supply chain compromise patterns.
✅ Tooling overlap and infrastructure reuse strongly support attribution to Lotus Blossom.
❌ Public confirmation of a direct breach in Notepad++’s official infrastructure remains limited.
Prediction
🔮 Supply chain attacks will increasingly target developer tools and utilities rather than end-user software.
🔮 APT groups will continue mimicking AI and cloud API traffic to evade network detection.
🔮 Defensive strategies will shift toward behavioral analytics over static indicators as custom malware blends with commodity frameworks.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.instagram.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
