The Chrysalis Dissection: How a State-Sponsored APT…

"The most dangerous attack is the one that arrives through a channel you've already decided to trust."

💡 TL;DR (Too Long; Didn't Read)

Key takeaways in 60 seconds:

What Happened: Chinese APT Lotus Blossom compromised Notepad++'s hosting infrastructure for 6 months (June-December 2025), delivering a custom backdoor called Chrysalis via hijacked update traffic.

How It Worked: DLL sideloading using a renamed Bitdefender binary, custom LCG-based stream cipher for shellcode decryption, and FNV-1a + MurmurHash API hashing to evade detection.

Scary Part: They weaponized Microsoft's undocumented Warbird framework to make shellcode appear to originate from Microsoft-signed binaries.

Who Got Hit: Government organizations in the Philippines, financial institutions in El Salvador, IT providers in Vietnam — classic intelligence targets.

Your Action Items: Audit every updater in %AppData%, hunt for Chrysalis IOCs, enforce binary signature verification in CI/CD.

Bottom line: Your developer tools are now a primary attack surface. Treat every single one as a potential threat vector.

1. The Hook: Why This Matters Now

On February 2, 2026, Don Ho — the maintainer of Notepad++, a text editor installed on millions of developer workstations worldwide — published a disclosure that should make every engineer reconsider what happens when they click "Update Available." For six months, from June to December 2025, a Chinese state-sponsored threat group called Lotus Blossom had been silently sitting inside Notepad++'s hosting infrastructure, selectively redirecting update traffic to deliver a custom, previously undocumented backdoor to hand-picked targets.

The backdoor is called Chrysalis. And after spending the last week studying Rapid7's forensic analysis, Kaspersky's telemetry, and the MITRE ATT&CK mapping of the attack chain, I can tell you this: it's one of the most technically sophisticated supply chain compromises I've seen since SolarWinds. Not because of the initial access — that was depressingly simple. But because of what came after.

This is not a news summary. This is a dissection.

2. The Attack Surface Nobody Audits

Before we get into the shellcode and the API hashing, let's talk about why this matters for you, the engineer reading this on your work laptop that almost certainly has Notepad++, VS Code extensions, or a dozen other tools installed outside of your IT department's MDM inventory.

Here's the uncomfortable truth: developer tools are the softest target in your organization. They sit on privileged machines — machines with SSH keys, AWS credentials, Git signing keys, CI/CD tokens, and access to production. And most of them auto-update through mechanisms that nobody on your security team has ever audited.

How GUP.exe Became a Trojan Horse

Notepad++ uses a custom updater called GUP (Generic Updater Plugin). GUP checks a manifest hosted on the Notepad++ website, downloads the installer, and runs it. Before version 8.8.9, it did not verify the certificate or the signature of the downloaded binary. It trusted the hosting infrastructure implicitly.

Lotus Blossom didn't need a zero-day. They didn't need to compromise the source code. They compromised the hosting provider, gained the ability to selectively redirect HTTP traffic, and served a poisoned update.exe to targets they had pre-selected by IP range or other network fingerprinting.

The source code was never touched. The Git repo was clean. The binary on the official download page was legitimate. Only the update traffic was tainted.

This is the new playbook. And if you think it can't happen to your favorite VS Code extension, npm package, or Homebrew formula, you haven't been paying attention.

3. The Kill Chain: From GUP.exe to Chrysalis

Let me walk through the full execution chain as documented by Rapid7 and Kaspersky. This is the most technically interesting part, and it reveals a level of operational discipline that goes well beyond script-kiddie territory.

3.1 Stage 1: The NSIS Installer

The malicious update.exe is an NSIS (Nullsoft Scriptable Install System) installer — a packaging format that's essentially the default delivery vehicle for Chinese APT groups. Kaspersky observed at least three distinct infection chains delivered over four months, each with different execution paths and payloads. The attackers rotated C2 addresses, downloaders, and final payloads on a near-monthly cadence.

The installer creates a hidden directory at %AppData%\Bluetooth\ and drops three files:

File	True Identity	Purpose
`BluetoothService.exe`	Renamed Bitdefender Submission Wizard	Legitimate binary abused for DLL sideloading
`log.dll`	Custom malicious DLL	Decrypts and executes Chrysalis shellcode
`BluetoothService` (no ext)	Encrypted shellcode blob	The Chrysalis backdoor payload

The choice of a renamed Bitdefender binary is not random. Lotus Blossom has used this exact technique before — documented by Symantec in April 2025 — with the same binary, the same DLL name (log.dll), and the same sideloading pattern. This is what gave Rapid7 moderate-confidence attribution.

3.2 Stage 2: DLL Sideloading

When BluetoothService.exe (the legitimate Bitdefender tool) executes, it imports log.dll and calls two exported functions: LogInit and LogWrite. In the legitimate library, these would handle logging. In the malicious version:

LogInit reads the encrypted shellcode blob (BluetoothService) into the process's memory space.
LogWrite runs the decryption routine and transfers execution to the decrypted payload.

The decryption is not trivial. It uses a custom stream cipher based on a Linear Congruential Generator (LCG) with the constants 0x19660D (multiplier) and 0x3C6EF35F (increment) — these are the well-known Numerical Recipes constants. The key material is derived from a previously computed hash value, and the algorithm applies a series of XOR, addition, and subtraction transformations to recover the plaintext shellcode.

This isn't AES. It doesn't need to be. The goal is to evade static analysis and signature-based detection, and a custom cipher does that better than a standard one because there's no known structure for AV engines to latch onto.

3.3 Stage 3: Chrysalis Awakens

Once decrypted and executing in memory, Chrysalis begins its initialization sequence:

3.3.1 Dynamic API Resolution

Chrysalis doesn't import Windows APIs through the normal Import Address Table (IAT). Instead, it walks the Process Environment Block (PEB), parses module export tables, and resolves function addresses at runtime using a custom hashing scheme.

The hash algorithm is a two-stage process:

Stage 1: Hash export names using FNV-1a (initialization vector 0x811C9DC5, prime 0x1000193)
Stage 2: Apply a MurmurHash-style avalanche finalizer (constant 0x85EBCA6B)
Stage 3: Compare against salted target hashes

This dual-layer hashing means you can't simply Google the hash values to figure out which APIs the malware is calling. Each deployment can use different salts, making signature-based detection across campaigns unreliable.

If the hashing fails (which it shouldn't, but operational resilience is clearly a priority), Chrysalis falls back to resolving APIs via GetProcAddress — obtained earlier in the execution chain through a separate resolution path.

3.3.2 Configuration Decryption

The embedded configuration is encrypted with RC4 and contains the C2 endpoint. In the samples analyzed by Rapid7, the configuration pointed to:

https://api.skycloudcenter[.]com/a/chat/s/{GUID}

Note the URL structure: /a/chat/s/ followed by a GUID. This is deliberately crafted to mimic DeepSeek's chat API endpoint format. The User-Agent string is a standard Chrome identifier. To a network monitoring tool performing DPI (Deep Packet Inspection), this traffic looks like someone using an AI chatbot. Brilliant and infuriating in equal measure.

3.3.3 Command Processing

Chrysalis supports at least 16 distinct commands received via HTTP responses from the C2 server:

Spawn an interactive reverse shell
Create arbitrary processes
File system operations (read, write, delete, enumerate)
Upload files to C2
Download files from C2
Self-uninstall and artifact cleanup
Persistence management (service creation or registry Run keys)

This is not a dropper. This is a full-featured implant designed for long-term espionage operations.

4. The Warbird Wildcard

Perhaps the most technically fascinating (and alarming) finding in Rapid7's report is the discovery of a secondary loader that abuses Microsoft Warbird — an undocumented internal code protection and obfuscation framework used by Microsoft to protect parts of the Windows kernel.

A file named ConsoleApplication2.exe was found on compromised hosts that uses Warbird-protected memory regions to execute shellcode. It calls NtQuerySystemInformation with undocumented parameters to map code into memory regions that appear to belong to Microsoft-signed binaries.

This is a direct weaponization of academic research into Windows internals. The abuse of Warbird means that EDR (Endpoint Detection and Response) tools that check whether executing code belongs to a signed binary will see Microsoft's signature and potentially allow execution. Rapid7 explicitly calls this out as "rapid operationalization of public research."

Let me be blunt: if a nation-state APT is reading your security research papers and weaponizing them within months, the gap between offensive research publication and defensive coverage is a systemic vulnerability in our entire industry.

5. Three Chains, One Campaign

Kaspersky's telemetry adds another dimension that Rapid7's incident response didn't fully capture: the attackers ran three distinct infection chains over four months, each targeting different victims with different tooling:

The progression tells a story. Chain 1 uses commodity tools (ProShow exploit, Metasploit). Chain 2 introduces Lua scripting for flexibility. Chain 3 deploys the custom Chrysalis backdoor — their crown jewel.

This looks like an operation that was testing and refining its delivery mechanisms on early targets before deploying its most valuable tools on the highest-priority ones.

The targets across all three chains: government organizations in the Philippines, financial institutions in El Salvador, IT service providers in Vietnam, and individuals in Australia. Classic intelligence collection targets for a Southeast Asian-focused espionage operation.

6. What Your Team Should Do Monday Morning

I don't write sections like this often. Most "mitigation advice" in security write-ups is generic enough to be useless. But this attack has specific, actionable lessons.

6.1 Audit Your Developer Tool Update Mechanisms

Run this command on every developer workstation in your organization:

powershell

# Windows: Find auto-update executables in common dev tool locations
Get-ChildItem -Path "$env:APPDATA", "$env:LOCALAPPDATA", "$env:PROGRAMFILES", "${env:PROGRAMFILES(x86)}" `
    -Recurse -Include "*update*","*updater*","*GUP*" -ErrorAction SilentlyContinue |
    Where-Object { $_.Extension -in '.exe','.dll' } |
    Select-Object FullName, LastWriteTime,
    @{N='Signed';E={(Get-AuthenticodeSignature $_.FullName).Status}} |
    Format-Table -AutoSize

bash

# macOS/Linux: Find auto-update binaries
find ~/Library/Application\ Support /usr/local /opt \
    -name "*update*" -o -name "*updater*" 2>/dev/null | \
    while read f; do
        echo "$f $(stat -f '%Sm' "$f" 2>/dev/null || stat -c '%y' "$f" 2>/dev/null)"
    done

Any updater that doesn't verify cryptographic signatures on downloaded binaries is a supply chain risk. Period.

6.2 Hunt for Chrysalis Indicators

Check your environment for these specific artifacts:

yaml

# Sigma Rule - Chrysalis Backdoor Detection
title: Chrysalis Backdoor - Notepad++ Supply Chain
id: gsstk-a0079-chrysalis-detect
status: experimental
description: Detects artifacts associated with Chrysalis backdoor
references:
    - https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
logsource:
    category: process_creation
    product: windows
detection:
    selection_process:
        Image|endswith: '\BluetoothService.exe'
        Image|contains: '\AppData\'
    selection_network:
        DestinationHostname|contains:
            - 'api.skycloudcenter.com'
            - 'api.wiresguard.com'
    selection_files:
        TargetFilename|contains:
            - '\AppData\Roaming\Bluetooth\BluetoothService.exe'
            - '\AppData\Roaming\Bluetooth\log.dll'
    condition: selection_process or selection_network or selection_files
falsepositives:
    - Legitimate Bluetooth software (verify publisher signature)
level: high
tags:
    - attack.execution
    - attack.t1574.002
    - attack.t1195.002

6.3 Enforce Binary Verification in CI/CD

If your build pipeline downloads tools at runtime (and most do), add signature verification:

bash

# Example: Verify GPG signature before using downloaded tool
gpg --keyserver keyserver.ubuntu.com --recv-keys $EXPECTED_KEY_ID
gpg --verify tool.sig tool.bin || { echo "SIGNATURE VERIFICATION FAILED"; exit 1; }

# Example: Pin SHA-256 hashes for known-good binaries
EXPECTED_HASH="abc123..."
ACTUAL_HASH=$(sha256sum downloaded-tool | awk '{print $1}')
if [ "$EXPECTED_HASH" != "$ACTUAL_HASH" ]; then
    echo "HASH MISMATCH - possible supply chain compromise"
    exit 1
fi

6.4 Network-Level Detection

Block or alert on the following C2 domains and IPs immediately:

# Network IOCs (from Rapid7 and Kaspersky)
api.skycloudcenter[.]com
api.wiresguard[.]com
95.179.213[.]0

# URI Pattern (DeepSeek-mimicking)
/a/chat/s/[GUID pattern]

Monitor for HTTPS traffic to these destinations, and consider alerting on any traffic from developer workstations to endpoints matching the /a/chat/s/ URI pattern with Chrome User-Agent strings — legitimate DeepSeek usage would originate from a browser, not from a background service.

7. The Bigger Picture: Your Toolchain is an Attack Surface

We wrote about React2Shell (CVE-2025-55182) in article a0070, and about MCP security risks in articles a0055 and a0062. The Notepad++ compromise is part of the same macro-trend: the software supply chain — from your IDE to your build system to your package manager — is now the primary attack surface for sophisticated threat actors.

The SolarWinds playbook of 2020 has been industrialized. Lotus Blossom didn't need a Orion-scale operation. They compromised a shared hosting provider and weaponized an update mechanism that hadn't changed significantly in years. The attack was running for six months before discovery. And the target set — government, telecom, finance, critical infrastructure — tells you this wasn't a financially motivated operation. This was intelligence collection at scale.

For those of us who build software for a living, the lesson is both simple and hard to implement: treat every tool in your development environment as a potential attack vector. Your text editor. Your terminal emulator. Your Git GUI. Your API testing tool. Every one of them has an update mechanism, and most of those mechanisms were designed for convenience, not for security.

Notepad++ has since hardened its updater with certificate and installer signature verification in version 8.8.9, with mandatory XML signature validation (XMLDSig) coming in version 8.9.2. They migrated to a new hosting provider with stronger security and rotated all credentials. Don Ho did the right things — after the fact.

The question is: how many other tools in your %AppData% folder are one hosting provider compromise away from the same fate?

I don't know the answer. And that's what keeps me up at night.

Key Takeaways

Developer tools are soft targets: They run on privileged machines with access to credentials, keys, and production systems — but rarely get the same security scrutiny as production infrastructure.
Supply chain attacks are industrializing: The SolarWinds playbook (compromise infrastructure, not source code) is being adopted by more threat actors. Hosting provider compromise is the new frontier.
Custom malware evades commodity defenses: Chrysalis's use of LCG stream ciphers, dual-layer API hashing, and Warbird abuse shows how nation-state attackers invest in evasion engineering.
Action over awareness: Audit your update mechanisms, hunt for IOCs, enforce binary verification, and monitor for C2 patterns. These are concrete steps you can take today.

The Chrysalis Dissection: How a State-Sponsored APT Weaponized Your Text Editor's Update Button

✨TL;DR / Executive Summary