Security researchers at Rapid7 have published a comprehensive analysis attributing the six-month Notepad++ supply chain compromise to Lotus Blossom, a Chinese government-linked advanced persistent threat group, while revealing detailed technical specifications of a sophisticated new backdoor dubbed Chrysalis that was deployed against targeted victims.
The attribution, announced with moderate confidence on Monday, comes days after Notepad++ maintainer Don Ho disclosed that attackers had compromised the application's hosting infrastructure between June and December 2025. The threat actors selectively redirected update traffic from certain users to attacker-controlled servers that delivered malicious payloads, all without touching the actual source code or breaking any digital signatures.
Rapid7's managed detection and response team identified the malware as a trojanized NSIS installer containing three components: a renamed legitimate Bitdefender Submission Wizard executable called BluetoothService.exe, an encrypted shellcode file, and a malicious DLL that gets sideloaded when the legitimate executable runs. The technique allows the malware to evade simple filename-based detection tools.
The Chrysalis backdoor itself represents a significant evolution in Lotus Blossom's tradecraft. Researchers discovered it employs custom API hashing in both the loader and main module, multiple layers of obfuscation, and a structured approach to command-and-control communication. The backdoor can spawn interactive shells, create processes, perform file operations, upload and download files, and remove itself from compromised systems.
Particularly concerning is the discovery of a loader variant that leverages Microsoft Warbird, a complex code protection framework typically used by Microsoft itself. This loader abuses the NtQuerySystemInformation system call with an undocumented class to bypass user-mode hooks and standard endpoint detection and response monitoring, marking a clear shift toward more resilient stealth techniques.
Rapid7 based its attribution on strong overlaps with prior research by Symantec, including identical use of renamed Bitdefender tools for DLL sideloading and matching Cobalt Strike public keys extracted from recovered payloads. Lotus Blossom, also known as Billbug, Bronze Elgin, and Raspberry Typhoon, has been active since 2009 and typically targets government, telecommunications, aviation, and critical infrastructure organizations across Southeast Asia and Central America.
Kaspersky researchers independently observed three distinct infection chains targeting approximately a dozen machines belonging to individuals in Vietnam, El Salvador, and Australia, as well as a government organization in the Philippines, a financial institution in El Salvador, and an IT service provider in Vietnam. The highly selective targeting suggests classic espionage operations rather than broad cybercriminal activity.
Comments