Chrysalis Backdoor Campaign
Chrysalis Backdoor Campaign
Summary
Chrysalis is a sophisticated backdoor used in a targeted cyber‑espionage campaign attributed with moderate confidence to the threat group commonly tracked as Lotus Blossom. The malware was delivered through a compromised software distribution channel, representing a likely supply‑chain attack. Chrysalis is designed for long‑term persistence and remote access, providing operators with full control over infected systems, including command execution, file manipulation, and interactive shell access. The campaign demonstrates high operational maturity through multi‑stage loaders, heavy obfuscation, and stealthy command‑and‑control communications.
Affected Systems and/or Applications
Affected Platforms
- Windows systems capable of executing malicious installers and sideloaded DLLs.
Affected Software
- Systems that installed software from the compromised distribution infrastructure associated with the Notepad++ project prior to version 8.8.9.
Technical Details
Chrysalis is deployed through a multi‑stage infection chain. Initial execution occurs via a trojanized installer that drops multiple components to disk. A legitimate, renamed executable is abused to sideload a malicious DLL, which acts as a loader for the core backdoor.
The loader decrypts and executes shellcode in memory using custom routines and reflective loading techniques. Windows APIs are resolved dynamically using hashing, significantly complicating static detection and reverse engineering.
Once loaded, the Chrysalis backdoor establishes encrypted command‑and‑control communications over HTTPS using a generic browser user‑agent string to blend into normal network traffic. Configuration data, including C2 endpoints, is encrypted within the binary.
The backdoor supports a broad set of capabilities:
- Remote command execution and interactive shell access
- File upload and download
- Process execution and termination
- File system and registry enumeration
- Self‑removal and cleanup routines
Persistence is achieved through either Windows service creation or registry‑based autorun mechanisms. In observed cases, the initial compromise also enabled delivery of additional payloads, including post‑exploitation frameworks, indicating use as an access broker or long‑term foothold.
Additionally, note that the attacker access to the internal Notepad++ servers was fully terminated on December 2nd, 2025.
Mitigation
Immediate Response Actions
- Identify endpoints that are/were utilizing outdated binaries for Notepad++ and may have been updated between Jun ‑ Dec 2025.
- Identify and isolate endpoints that executed installers obtained from untrusted or unofficial distribution sources.
- Hunt for evidence of DLL sideloading involving legitimate executables launched from non‑standard directories.
- Investigate systems for unauthorized Windows services or suspicious registry autorun entries.
- Assume full system compromise where Chrysalis is confirmed and respond accordingly.
Preventative Controls
- Enforce application allow‑listing and restrict execution of user‑downloaded installers.
- Validate software integrity using trusted hashes and verified distribution channels.
- Limit service creation privileges and monitor for abuse.
- Strengthen supply‑chain security controls, including provenance verification of third‑party software.
Patching and Remediation
- Update or reinstall Notepad++ to at least version 8.8.9.
- Re‑installation of affected software from a verified, trusted source is recommended.
What the Cyber Fusion Center is Doing
The CFC is monitoring the situation and analyzing the case to identify potential threat‑hunting campaigns. This advisory will be updated if required. Clients subscribed to our vulnerability scan services will receive relevant results if critical vulnerabilities are found within the scope of the scans as soon as a relevant plugin is made available by the scan provider.
.webp)