“`html
An intricate espionage operation linked to the Chinese Advanced Persistent Threat (APT) group Lotus Blossom (commonly referred to as Billbug).
The malicious actors breached the infrastructure supporting the well-known text editing software Notepad++ to install a tailored, previously undocumented backdoor termed “Chrysalis”.
This operation, uncovered by Rapid7 analyst Ivan Feigl, predominantly targets entities within the governmental, telecommunications, aviation, and critical infrastructure domains across Southeast Asia and Central America.
The inquiry was initiated following a security event related to the launch of a harmful file named update[.]exe, which had been downloaded from a dubious IP address (95.179.213[.]0) after the legitimate execution of notepad++[.]exe and GUP[.]exe (the generic updater for Notepad++).
Forensic evaluation disclosed that update[.]exe is an NSIS installer, a tool frequently exploited by Chinese APTs for initial payload distribution.
Upon execution, the installer establishes a concealed directory in the %AppData% folder labeled “Bluetooth” and places multiple files, including BluetoothService.exe and log.dll.
The executable BluetoothService.exe is, in fact, a renamed, authentic Bitdefender Submission Wizard binary. The attackers exploit this legitimate file to conduct DLL sideloading, compelling it to load the nefarious log.dll instead of the authentic library.
The Chrysalis Backdoor
Once activated, log.dll decrypts and initiates a shellcode payload for the Chrysalis backdoor. This malware is an advanced, feature-rich implant intended for sustained presence rather than simple “smash-and-grab” tactics, as noted by Rapid7 observed.
Chrysalis utilizes several advanced obfuscation methods:
- Custom Encryption: It employs a linear congruential generator for decryption instead of conventional cryptographic APIs, rendering it more difficult for automated systems to detect.
- API Hashing: The malware resolves required Windows APIs employing a personalized hashing algorithm (FNV-1a paired with a MurmurHash-style finalizer) to avoid static analysis and antivirus identification.
- C2 Communication: The backdoor interacts with its Command and Control (C2) server (
api.skycloudcenter.com) over HTTPS. Significantly, the C2 URL structure imitates the Deepseek API endpoints (e.g.,/a/chat/s/{GUID}), likely an effort to blend in with legitimate AI-related network traffic.
Chrysalis is highly adaptable, accommodating 16 distinct commands governed by a switch statement within the code. Notable functionalities encompass:
- Interactive Shell: Spawning a fully interactive reverse shell via
cmd.exe(Switch4T). - File Operations: Reading, writing, and deleting files, in addition to enumerating directory contents (Switches
4W,4X,4Y). - Process Execution: Initiating remote processes (Switch
4V). - Self-Removal: A “cleanup” mode that eliminates persistence artifacts and removes the malware from the disk (Switch
4).
Advanced Loading with Microsoft Warbird
In addition to Chrysalis, researchers identified a loader variant (ConsoleApplication2.exe) that utilizes Microsoft Warbird, a sophisticated code protection framework, to conceal its execution flow.
This loader misuses the NtQuerySystemInformation system call with the undocumented SystemCodeFlowTransition (0xB9) class.
By transferring encrypted data into the memory of a Microsoft-signed binary (clipc.dll) and invoking this particular system call, the loader activates the Warbird mechanism to decrypt and execute the shellcode in the kernel context.
This method effectively circumvents user-mode hooks and standard EDR surveillance, signifying a notable advancement in Billbug’s strategies.
The operation is credited to Lotus Blossom with moderate confidence, based on the specific application of the Bitdefender sideloading method and shared cryptographic keys observed in the Cobalt Strike beacons implemented alongside Chrysalis.
Indicators of Compromise (IoCs)
Below are the Indicators of Compromise (IoCs) and MITRE ATT&CK TTPs linked to the Lotus Blossom operation and the Chrysalis backdoor.
File Indicators
| File Name | SHA-256 Hash | Description |
|---|---|---|
| update.exe | a511be5164dc1122fb5a7daa3eef9467e43d8458425b15a640235796006590c9 |
Malicious NSIS Installer employed for initial payload distribution |
| [NSIS.nsi] | 8ea8b83645fba6e23d48075a0d3fc73ad2ba515b4536710cda4f1f232718f53e |
Extracted NSIS installation script |
| BluetoothService.exe | 2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924 |
Renamed Bitdefender Submission Wizard (authentic binary) |
| BluetoothService | 77bfea78def679aa1117f569a35e8fd1542df21f7e00e27f192c907e61d63a2e |
Encrypted shellcode document |
| log.dll | 3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad |
Harmful DLL sideloaded by BluetoothService.exe |
| u.bat | 9276594e73cda1c69b7d265b3f08dc8fa84bf2d6599086b9acc0bb3745146600 |
Temporary batch document utilized for self-deletion/cleanup |
| conf.c | f4d829739f2d6ba7e3ede83dad428a0ced1a703ec582fc73a4eee3df3704629a |
C source document holding shellcode bytes (Metasploit block API) |
| libtcc.dll | 4a52570eeaf9d27722377865df312e295a7a23c3b6eb991944c2ecd707cc9906 |
Library for Tiny C Compiler, used to compile/run conf.c |
| admin | 831e1ea13a1bd405f5bda2b9d8f2265f7b1db6c668dd2165ccc8a9c4c15ea7dd |
File fetched from api.wiresguard.com, pertaining to second-stage shellcode |
| loader1 | 0a9b8df968df41920b6ff07785cbfebe8bda29e6b512c94a3b2a83d10014d2fd |
Variant loader exemplar discovered in public repositories |
| uffhxpSy | 4c2ea8193f4a5db63b897a2d3ce127cc5d89687f380b97a1d91e0c8db542e4f8 |
Shellcode linked with Loader 1 |
| loader2 | e7cd605568c38bd6e0aba31045e1633205d0598c607a855e2e1bca4cca1c6eda |
Variant loader exemplar discovered in public repositories |
| 3yzr31vk | 078a9e5c6c787e5532a7e728720cbafee9021bfec4a30e3c2be110748d7c43c5 |
Shellcode linked with Loader 2 |
| ConsoleApplication2.exe | b4169a831292e245ebdffedd5820584d73b129411546e7d3eccf4663d5fc5be3 |
Loader 3; employs Microsoft Warbird for shellcode execution |
| system | 7add554a98d3a99b319f2127688356c1283ed073a084805f14e33b4f6a6126fd |
Shellcode linked with ConsoleApplication2.exe |
| s047t5g.exe | fcc2765305bcd213b7558025b2039df2265c3e0b6401e4833123c461df2de51a |
Loader 4; variant sample sharing shellcode with Loader 3 |
Network Indicators
| Indicator | Type | Context |
|---|---|---|
| 95.179.213.0 | IP Address | Host for update.exe download |
| api.skycloudcenter.com | Domain | Chrysalis Backdoor C2 |
| api.wiresguard.com | Domain | Cobalt Strike Beacon C2 |
| 61.4.102.97 | IP Address | Resolution for api.skycloudcenter.com (Malaysia) |
| 59.110.7.32 | IP Address | C2 IP associated with Loader 1 |
| 124.222.137.114 | IP Address | C2 IP associated with Loader 2 |
MITRE ATT&CK TTPs
| ATT&CK ID | Name |
|---|---|
| T1204.002 | User Execution: Malicious Document |
| T1036 | Masquerading |
| T1027 | Obfuscated Documents or Information |
| T1027.007 | Obfuscated Documents or Information: Dynamic API Resolution |
| T1140 | Deobfuscate/Decode Documents or Information |
| T1574.002 | DLL Side-Loading |
| T1106 | Native API |
| T1055 | Process Injection |
| T1620 | Contemplative Code Loading |
| T1059.003 | Command and Scripting Interpreter: Windows Command Shell |
| T1083 | File and Directory Exploration |
| T1005 | Information from Local System |
| T1105 | Input Tool Transfer |
| T1041 | Data Theft Over C2 Channel |
| T1071.001 | Application Layer Protocol: Web Communication (HTTP/HTTPS) |
| T1573 | Secured Channel |
| T1547.001 | Startup or Logon Autostart Execution: Registry Run Keys |
| T1543.003 | Create or Alter System Process: Windows Service |
| T1480.002 | Execution Safeguards: Mutual Exclusion |
| T1070.004 | Indicator Removal on Host: File Elimination |
“`