Attack Discovery, Workflows, and Agent Builder were combined to automatically detect, confirm, and triage a Chrysalis backdoor campaign delivered via a Notepad++ update supply-chain compromise, collapsing dozens of alerts into a single verified incident and creating a case and Slack channel with on-call responders already added. The automation verified C2, performed VirusTotal checks, ran ES|QL hunts, and executed incident actions (isolation, user suspension, IOC sweeps) in under four minutes instead of hours. #Chrysalis #LotusBlossom
Keypoints
- Lotus Blossom (aka Billbug/Raspberry Typhoon/Spring Dragon) conducted a Notepad++ update infrastructure supply-chain compromise (WinGUp) delivering the previously undocumented Chrysalis backdoor.
- Chrysalis uses reflective DLL loading, API hashing, custom encryption, and DLL sideloading via a legitimate Bitdefender binary (BluetoothService.exe) to achieve persistence and evade defenses.
- Attack Discovery correlated multiple alerts into a single “Malware with DLL Side-Loading Persistence” discovery, mapping the attack chain and highlighting a confirmed C2 domain api[.]skycloudcenter[.]com.
- An automated workflow triggered an Agent Builder hunting agent which verified hashes via VirusTotal, ran ES|QL searches, checked on-call schedules, created a case, and opened a Slack incident channel with the responder added.
- The two-step workflow (initial_analysis + followup_analysis) delegates reasoning to the agent while providing a deterministic safety net to retry or resume failed operations.
- This agentic pipeline reduced time-to-confirmation from hours to minutes, enabling immediate containment actions like host isolation, user suspension, and network blocklist updates.
- Agents can be extended with custom workflow-backed tools (e.g., vt.hash.lookup, check.on.call.schedule, create.case, create.channel) so analysts can query in natural language instead of writing ES|QL.
MITRE Techniques
- [T1195.002 ] Supply Chain Compromise – Lotus Blossom hijacked Notepad++ update mechanism (WinGUp) to redirect targeted users to malicious update servers. (‘Lotus Blossom executed a supply chain compromise of Notepad++ update infrastructure’)
- [T1204.002 ] User Execution – Victims executed a malicious NSIS installer from the Desktop which dropped the attacker files. (‘User executes malicious NSIS installer from Desktop’)
- [T1543.003 ] Windows Service – The legitimate BluetoothService.exe was registered as a Windows service and ran under SYSTEM to achieve persistence. (‘BluetoothService.exe registered as Windows service … Runs under SYSTEM context’)
- [T1574.002 ] DLL Side-Loading – The attack used DLL sideloading via a signed Bitdefender binary to load the malicious Chrysalis loader (log.dll). (‘DLL sideloading via legitimate Bitdefender binary (BluetoothService.exe)’)
- [T1071.004 ] Application Layer Protocol: DNS – Chrysalis used a DNS-based beacon to communicate with its command-and-control at api[.]skycloudcenter[.]com. (‘DNS beacon to api[.]skycloudcenter[.]com ✅ CONFIRMED’)
Indicators of Compromise
- [Domain ] Command-and-control domain – api[.]skycloudcenter[.]com (confirmed C2 domain)
- [File names ] Malicious loader and sideloaded binary – log.dll (Chrysalis loader), BluetoothService.exe (legitimate Bitdefender binary used for DLL sideloading)
- [Installer ] Initial access artifact – malicious NSIS installer (dropped files to hidden AppData)
- [Hostnames ] Compromised host example – srv-win-defend-01 (host escalated to persistence via BluetoothService.exe)
- [Usernames ] Compromised account example – james_spiteri (user associated with the attack)
- [Software/Component ] Supply-chain vector – Notepad++ update infrastructure (WinGUp) used to deliver the payload)