Threat Research

DomainTools Investigations | Lotus Blossom (G0030) and the Notepad++ Supply-Chain Espionage Campaign

DTIdomain
DomainTools Investigations | Lotus Blossom (G0030) and the Notepad++ Supply-Chain Espionage Campaign

Investigators determined the Notepad++ update mechanism (WinGUp/GUP.exe) was subverted for roughly six months to selectively deliver trojanized installers to a narrow set of high-value targets without modifying the project’s source code. The operation is attributed with moderate–high confidence to the China-aligned espionage cluster Lotus Blossom, which deployed bespoke implants (notably Chrysalis), DLL sideloading, and API-style HTTPS C2 to enable long-term intelligence collection. #LotusBlossom #Chrysalis

Keypoints

  • Attackers compromised Notepad++ distribution/update hosting infrastructure and selectively redirected WinGUp (GUP.exe) update requests to attacker-controlled servers while leaving source code intact.
  • Trojanized NSIS installers and renamed legitimate utilities (e.g., Bitdefender Submission Wizard) were used to deploy loaders (log.dll) that decrypted and executed final payloads (Chrysalis or Cobalt Strike).
  • The campaign prioritized precision and stealth: selective delivery to a small set of victims, long dwell times, and no observed ransomware, theft, or destructive activity—consistent with espionage objectives.
  • Observed tradecraft included living-off-the-land utilities, DLL sideloading, API-style HTTPS C2 with low-frequency beaconing, staged artifacts in user AppData paths, and infrastructure rotation while preserving URI grammar.
  • Victims included government, financial, and IT service entities and individual technical users across Southeast Asia, Australia, and Central America (El Salvador), aligning with Lotus Blossom’s historical targeting.
  • Defensive implications: harden update pipelines and hosting, prioritize behavioral detection (unexpected updater behavior, anomalous DLL loads, API-like beaconing), and treat developer/admin endpoints as high-value for threat hunting.

MITRE Techniques

  • [T1195 ] Supply Chain Compromise – Attackers abused the update/distribution infrastructure to deliver malicious installers without changing project source. ‘…the update mechanism of one of the world’s most widely used open-source text editors had been quietly subverted.’
  • [T1574.002 ] DLL Side-Loading – A renamed legitimate utility was used to host a malicious companion DLL that loaded and decrypted the backdoor. ‘…a renamed legitimate utility (the Bitdefender Submission Wizard) was used as the initial execution context. A malicious companion DLL… was then loaded…’
  • [T1574.001 ] DLL Search Order Hijacking – Adversaries used DLL search-order or host-driven DLL load behaviors to inject custom loaders. ‘…DLL sideloading… malicious companion DLL, placed in the same directory with the same name expected by the host process…’
  • [T1543.003 ] Create or Modify System Process: Windows Service – The group has historically used Windows services for persistence in campaigns. ‘…registry-based persistence, Windows services, DLL sideloading…’
  • [T1547.001 ] Registry Run Keys and Startup Folder – Registry-based persistence mechanisms were observed as part of long-term footholds. ‘…registry-based persistence…’
  • [T1071.001 ] Application Layer Protocol: Web Protocols – Post-compromise C2 used HTTPS with API-style URI paths to blend with normal web traffic. ‘…post-compromise communications were conducted using encrypted, low-frequency outbound connections over HTTPS… API-style command-and-control endpoints…’
  • [T1218 ] Signed Binary Proxy Execution / Living-off-the-Land – The campaign co-opted legitimate system utilities and trusted binaries to execute malicious logic and evade detection. ‘…the frequent use of living-off-the-land (LOTL) utilities, trusted, legitimate system tools that are co-opted to execute malicious logic…’
  • [T1057 ] Process Discovery – Early reconnaissance included commands to enumerate running processes (e.g., tasklist) to inform payload choices. ‘…Commands such as whoami and tasklist… were used to identify the current user context, running processes…’
  • [T1082 ] System Information Discovery – The malware executed system/user enumeration commands (e.g., whoami) during initial reconnaissance. ‘…Commands such as whoami and tasklist… were used to identify the current user context, running processes, and basic system characteristics.’

Indicators of Compromise

  • [Domain ] Notepad++ campaign C2/domains used for API-style beaconing – cdncheck.it.com, api.wiresguard.com, api.skycloudcenter.com
  • [IP Address ] Observed hosting and beacon endpoints (purpose-built staging/C2) – 45.77.31.210, 59.110.7.32:8880, 124.222.137.114:9999
  • [C2 URI paths ] API-like endpoints observed in beacon traffic and payload staging – /api/update/v1, /api/FileUpload/submit, /a/chat/s/{GUID}
  • [Malware / Backdoors ] Primary bespoke and historical implants linked to the actor – Chrysalis, Sagerunex (and historic reference to Elise)
  • [File Names ] Loader and installer artifacts used in delivery chains – update.exe (NSIS installer), BluetoothService.exe (renamed Bitdefender loader), log.dll (loader DLL)
  • [File Paths ] Common staging locations used to persist or stage components – %APPDATA%ProShowload, %APPDATA%AdobeScriptsalien.ini, %APPDATA%BluetoothBluetoothService
  • [Process Names ] Updater and execution parent processes observed in execution chains – GUP.exe (WinGUp updater) spawning non-standard installers and loaders
  • [File Hashes ] Candidate sample hashes referenced in public hunting reports (use with contextual correlation) – [redacted-hash-1], [redacted-hash-2], and other public hunting hashes

Read more: https://dti.domaintools.com/research/lotus-blossom-and-the-notepad-supply-chain-espionage-campaign