Chinese APT group Lotus Blossom compromised Notepad++ update infrastructure to deliver Chrysalis backdoor to high-value targets including telecoms and critical infrastructure.
Security researchers have attributed the recent Notepad++ update hijacking to a Chinese government-linked espionage group called Lotus Blossom (also known as Lotus Panda or Billbug), which exploited weaknesses in the software's update infrastructure to deliver a sophisticated backdoor dubbed Chrysalis to high-value targets.
The attack, which occurred early Monday, involved the Notepad++ project author reporting that a suspected Chinese state-sponsored group compromised a shared hosting server and selectively redirected some update traffic to an attacker-controlled site. Victims unknowingly downloaded a poisoned version of what appeared to be a legitimate software update.
Attribution and Attack Vector
Rapid7's managed detection and response team attributed the attack "with moderate confidence" to Lotus Blossom, a Chinese advanced persistent threat (APT) group known for conducting targeted cyber-espionage campaigns. The group typically focuses on organizations in Southeast Asia and more recently Central America, with particular interest in government, telecom, aviation, critical infrastructure, and media sectors.
While the exact method of initial access remains unclear, once inside the Notepad++ distribution infrastructure, the attackers delivered a trojanized update packaged as an NSIS installer. This packaging format is commonly abused by Chinese APT groups for initial payload delivery.
The malicious installer contained several components:
- An executable named "BluetoothService.exe" - actually a renamed legitimate Bitdefender Submission Wizard used for DLL sideloading
- A file called "BluetoothService" containing encrypted shellcode
- A malicious DLL sideloaded by BluetoothService.exe
The shellcode represents the Chrysalis backdoor, described by Rapid7 as "a sophisticated and permanent tool, not a simple throwaway utility."
Technical Sophistication
The Chrysalis backdoor employs multiple advanced evasion techniques:
- Uses legitimate binaries to sideload malicious DLLs with generic names to evade filename-based detection
- Implements custom API hashing in both the loader and main module
- Employs multiple layers of obfuscation to cover its tracks
- Features a structured approach to command-and-control (C2) communication
These techniques demonstrate the group's sophisticated capabilities and their focus on maintaining long-term access to compromised systems rather than conducting opportunistic attacks.
Attribution Confidence
Rapid7's attribution to Lotus Blossom is based on several key factors:
- Similarities between the initial loader usage and previous Symantec research
- The group's consistent use of renamed Bitdefender Submission Wizard for sideloading
- Execution chain similarities with other loaders found in related campaigns
- The same public key extracted from Cobalt Strike beacons delivered through multiple channels
"Similarities of the execution chain of 'conf.c' retrieved from the infected asset and other loaders that we found, supported by the same public key extracted from [Cobalt Strike] beacons delivered through 'conf.c' and 'ConsoleApplication2.exe' suggest with moderate confidence that the threat actor behind this campaign is likely Lotus Blossom," the Rapid7 team wrote.
Impact and Indicators
As of press time, Rapid7 did not have visibility into the exact number of victims who inadvertently downloaded the Chrysalis malware. However, the security researchers published a comprehensive list of file and network indicators of compromise for organizations to check their systems.
The targeting pattern aligns with Lotus Blossom's historical focus on high-value sectors. By compromising a popular software update mechanism like Notepad++, the group could potentially reach a wide range of targets across multiple industries, particularly those in telecommunications and critical infrastructure sectors that are known to use the text editor.
This incident highlights the ongoing risks associated with software supply chain attacks and the sophisticated capabilities of state-sponsored threat actors in compromising widely-used software to gain access to strategic targets. Organizations are advised to review the published indicators of compromise and implement appropriate detection and response measures.
Comments
Please log in or register to join the discussion