Lotus Blossom has resurfaced with a sophisticated supply chain attack against the Notepad++ infrastructure and deployed a new custom backdoor called Chrysalis to spy on targets in Southeast Asia and Central America. The campaign uses a Warbird-protected loader, DLL side‑loading, commodity tools like Cobalt Strike, and undocumented system calls to evade detection and maintain persistence. #LotusBlossom #Chrysalis
Keypoints
- Lotus Blossom compromised the Notepad++ infrastructure to distribute malicious loaders and plugins.
- The group deployed a previously undocumented backdoor named Chrysalis to gain and maintain access.
- A loader (ConsoleApplication2.exe) abused Microsoft Warbird to obfuscate and cloak malicious shellcode.
- Operators combined custom implants with commodity tools like Cobalt Strike, Metasploit, and DLL side‑loading to complicate detection.
- Rapid7 attributed the campaign to Lotus Blossom with moderate confidence and noted a shift toward undocumented system calls and multi‑layered loaders.
Read More: https://securityonline.info/supply-chain-poison-lotus-blossom-hits-notepad-to-deploy-chrysalis/