Anatomy of an Attack

Espionage Group Hijacks Trusted Infrastructure to Deploy Custom Backdoors

Lotus Blossom, a Chinese state-sponsored threat group, compromised the Notepad++ update infrastructure between June and December 2025., The group gained unauthorized access to Notepad++’s shared hosting provider to facilitate their operations. This supply chain attack primarily targeted government, telecommunications, and aviation organizations across Southeast Asia, South America, Europe, and the United States.

Lotus Blossom selectively redirected update requests from specific targets to malicious servers. These servers staged a malicious file named update[.]exe to deploy Chrysalis, a previously undocumented custom backdoor. This method allowed the group to abuse trusted update mechanisms and bypass standard perimeter defenses to establish long term network persistence.

Initial Access: Exploiting Trusted Channels

At this time, it is unknown how Lotus Blossom established a foothold within Notepad++’s shared hosting provider’s infrastructure. However, the group was able to compromise the software distribution infrastructure for the Notepad++ application, exploiting its trusted update process. Lotus Blossom was able to redirect update requests to 95[.]179[.]213[.]0, a server controlled by the threat actor. The victim machine would then download a malicious NSIS installer named update[.]exe. The legitimate notepad++[.]exe and its updater, GUP[.]exe, were not affected.

While it appeared to be a standard software update, the file was actually a custom installer designed to drop the initial payload onto the target system. This technique is highly effective because it leverages the inherent trust that users and security systems place in legitimate software updates.

Execution: Bypassing Perimeter Defenses

Once the installer was deployed, it would drop files into a hidden directory. Then, Lotus Blossom used DLL side-loading to execute their code without triggering security alarms. The dropped files included BluetoothService[.]exe, which was a renamed legitimate digitally signed Bitdefender utility, log[.]dll and BluetoothService, an encrypted shellcode file. When the legitimate Bitdefender executable started, it automatically loaded the malicious log[.]dll. This DLL contained two specific export functions, LogInit and LogWrite, which were called by the host to process, load, decrypt, and execute the Chrysalis backdoor in memory.

Chrysalis: A Tool for Long-Term Espionage

The Chrysalis backdoor is an espionage tool designed for long-term operational stealth. It achieves persistence and evasion through several sophisticated tactics:

• Sideloading for Concealment: Chrysalis masks its presence by piggybacking on legitimate system processes via a technique called sideloading. This makes it challenging for conventional security systems to flag the activity, as the malware appears to be part of a trusted, signed application.
• Custom Encryption: The backdoor uses complex internal encryption to obfuscate its instructions. This specialized cloaking mechanism prevents security researchers from easily deciphering its behavior and hinders the creation of simple detection signatures.
• Living off the Land (LotL) Tactic: Lotus Blossom employed a LotL strategy by hijacking trusted, digitally signed utilities. This ensures malicious activity mimics legitimate processes, effectively bypassing standard endpoint defenses.
• Memory-Only Execution: Further reducing its footprint and evading traditional antivirus software, Chrysalis utilizes specialized subroutines and custom encryption to decrypt and execute its code directly in the computer's memory, leaving minimal evidence on the physical disk.

Communication and Target Identification

The backdoor establishes a communication channel with a remote server located at api[.]skycloudcenter[.]com on IP address 61[.]4[.]102[.]97. To avoid detection by network monitoring tools, the traffic mimics the structure of legitimate AI chat services like DeepSeek. Once the connection is established, Chrysalis fingerprints the victim machine by collecting the computer name, user account details, and installed antivirus software. This collected profile is encrypted and transmitted to the Lotus Blossom-controlled server, enabling them to pinpoint the target and assess its current security defenses.

Chrysalis Capabilities

Chrysalis is designed to provide the operators with full control over the compromised host. It has at least 16 different commands such as sending and receiving files, launching an interactive reverse shell, creating new processes, and host enumeration. The tool also features a sophisticated self-cleanup routine. If the operators feel they are at risk of discovery, they can trigger a command to wipe all traces of the backdoor from the Windows registry and delete the malicious files.

MITRE ATT&CK Mappings

Different security vendors, such as Rapid7, Unit 42, and Symantec, offer varied perspectives on Chrysalis’ tactics, techniques, and procedures (TTPs) due to their respective telemetry from their tools. This TTP table focuses on Rapid 7’s Chrysalis backdoor observations mapped to ExtraHop detections.

Network Detection: RevealX NDR Capabilities for Chrysalis

ExtraHop RevealX provides a definitive, real-time view across the entire attack surface by analyzing the one source of truth that attackers cannot hide from: the network.

• Continuous Network Visibility at Scale: RevealX monitors all East-West and North-South network traffic at speeds up to 100 Gbps, providing a persistent, real-time record essential for identifying malicious updates on critical infrastructure, such as shared hosting servers and legacy distribution points, where EDR agents cannot be installed or are frequently tampered with.
• Line-Rate Decryption of Malicious Payloads: By providing line-rate decryption for over 90+ protocols, RevealX maintains deep visibility into the application layer.
• Identifying Anomalous Behaviors via ML: RevealX utilizes advanced machine learning to establish a granular baseline of "normal" device behavior across the enterprise. This allows the system to flag subtle deviations that signal a breach, such as unusual interactive traffic from external endpoints or protocol tunneling used by the Chrysalis backdoor to exfiltrate data.
• Strategic Response and Forensics: Beyond mere detection, the platform provides the packet-level evidence required for rapid incident response. During a supply-chain hijack, this allows analysts to trace when a redirected WinGUp trigger occurred and identify every downstream asset that unknowingly pulled a malicious update[.]exe payload.
• ExtraHop's Query Language (EQL): EQL is the custom query language for searching within RevealX and enables analysts to hunt for specific attacker behaviors by correlating network attributes, such as unusual URI patterns or specific TLS fingerprints. EQL can help transform raw network traffic into actionable insights, creating custom watchlists or complex queries to identify threats across your entire environment. EQL can be used to provide additional insights on activity related to the Lotus Blossom campaign and Chrysalis Backdoor.

Conclusion

The threat actor behind this campaign is a Chinese state-sponsored espionage unit with a lineage of activity spanning over a decade. Tracked as Lotus Blossom, they utilize sophisticated infrastructure-level hijacks to bypass traditional security. By hijacking the Notepad++ update delivery mechanism, they delivered the Chrysalis Backdoor payload to high-value targets, allowing them to gain full control of the compromised host.

To counter such sophisticated supply-chain attacks, organizations should deploy an NDR-led strategy that prioritizes network ground truth. ExtraHop RevealX NDR delivers the continuous visibility, line-rate decryption, and machine-learning-based behavior analysis necessary to expose attackers who successfully bypass traditional endpoint and log-based defenses.

Links to Primary Cited Reference on Chrysalis: Rapid7

• Rapid7 Primary Technical Analysis: The Chrysalis Backdoor: A Deep Dive into Lotus Blossom’s Toolkit
• Rapid7 Continued Analysis: https://www.rapid7.com/blog/post/tr-chrysalis-notepad-supply-chain-risk-next-steps/

Links to Additional References on Chrysalis

• Notepad++ Official Incident Report: Notepad++ Hijacked by State-Sponsored Hackers
• Unit 42 Technical Breakdown: Panda Groups and the Evolution of Chinese Espionage
• The Hacker News Attribution: China-linked Lotus Blossom Targets Notepad++ Infrastructure
• Intertec Systems Disclosure: Notepad++ Supply-Chain Attack Analysis

Please note that this blog is provided for informational purposes only. As adversary TTPs evolve rapidly, this data may be incomplete, outdated, or contain inaccuracies.

ExtraHop Can Help - Learn More

The network provides a strong vantage point for stopping modern sleeper threats. ExtraHop NDR provides the comprehensive security intelligence that legacy tools miss, offering the clarity required to surface threats hidden in east-west traffic. Organizations can gain a critical advantage by seeing how ExtraHop NDR protects their security teams.

Ready to see how ExtraHop NDR gives your security team the critical advantage?

• Request a Personalized Demo: This demonstration shows how ExtraHop detects the specific TTPs that threat actors like Lotus Blossom might use.
• Run a Security Assessment: An NDR assessment challenges the visibility of a current security stack.

Visit our request page to schedule your personalized demo and security assessment.