Chrysalis Backdoor – Deep Technical Analysis of a Sophisticated Supply Chain Attack

1. The Cause

2nd February: it was confirmed that the vendor’s website has been compromised for at least 5 months (between June 2025 & November/December 2025).

• The attack allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org
• This was abused to deliver an undocumented custom backdoor, now dubbed as “Chrysalis”
• This was due to infrastructural weaknesses on the hosting provider’s end.

To address this issue, notepad++’s website is migrated to a new hosting provider.

2. Overview Of The Malware

The campaign is being attributed to the APT Group Lotus Blossom (ID: G0030); a well-documented nation-state actor.

Every piece of malware was neatly packed in a NSIS installer file. Following are it’s contents:

• NSIS installation script
• BluetoothService.exe (Renamed a Bitdefender file, then abused it for DLL sideloading)
• BluetoothService (Encrypted shellcode)
• log.dll (The said malicious DLL loaded by “BluetoothService.exe”)

The attackers took a real Bitdefender program, renamed it, and used it to trick Windows into loading a malicious DLL file that ran the malware. (DLL sideloading)

3. The Implant

Action 1: Notepad++ is opened (On its own, this is completely normal.)

Action 2: GUP.exe runs next (Legitimate ; the auto-updater for Notepad++) Action 3: A program called “update.exe” runs – This is where things get interesting.

3a. Update.exe

• Update.exe is download from “95.179.213.0” 
• As per VT, it’s got a Bad Reputation : https://www.virustotal.com/gui/url/b9fd40e71672371f3172674ae17c30183d6accc367b61590097f5510bc50568c

Analysis show that it is an NSIS installer (Tool to create windows installers)

Upon unpacking, it extracts:

• NSIS installation script
• BluetoothService.exe
• BluetoothService 
• log.dll

3b. BluetoothService.exe

• The “BluetoothService.exe” is just the renamed version of a legit Bitdefender program.
• The attackers used this as a loader by placing a malicious DLL (log.dll) beside it.
• When the renamed program runs, it loads the malicious DLL due to how Windows resolves DLLs.

3c. log.dll

• Windows looks for required DLLs in the same directory as the executable before looking in system folders; this is the mechanism that is abused by the attackers in this case.
• This file has 2 functions in it; LogInit & LogWrite 
• LogInit loads “BluetoothService (Encrypted shellcode)” into the memory of the running process.
• LogWrite decrypts and execute the shellcode
• It implements API Hashing function (Resolves required APIs at execution)

4. The Malware itself

Once decrypted by the log.dll, Chrysalis is uncovered; A deliberate anti-analysis tradecraft that’s persistent, loaded with capabilities, utilizes advanced evasion techniques.

• Evasions of Signature -based detections: Abuses legitimate executables for DLL sideloading with a generic DLL name. 
• AV/Static Analysis/YARA Evasion: Directly calling the Windows APIs in specific combinations/order can be detected as a sign of malicious behaviour by most AVs and security solutions hence Separate custom API hashing mechanisms are implemented in both the loader and payload. This also delays behavioural detections 
• layered obfuscation and a structured C2 communication model. 
• The code is intentionally such that it conceals strings, make static analysis difficult, and evades signature-based detection. The names of the DLLs that the main function calls are constructed on the go using 2 separation functions; these functions implement a custom, position-dependent character obfuscation scheme meaning that each character is transformed using multiple binary mathematical operations (XOR, Multiplication, bit rotations) to ensure that identical characters are transformed diversely.
• Once these DLLs are load, the backdoor begins executing the main logic which includes configuration to establish communication with the C2 (command-and-control) to achieve objectives.
• First, the malware must decrypt its configuration; the “BluetoothService” file saves the encrypted configuration at a specific memory offset and is of an expected memory length. Once again, this technique makes the static analysis more complex as the analyst does not know where the configuration will be, or where in the memory the decryption key will be.

4a. Runtime

The program initializes like a normal windows program by performing a MSVC C runtime initialization after which it dynamically reconstructs and loads multiple DLLs needed to run; the names of these DLLs are constructed on the go and the process is described in detail in the former heading.

Once this is done, the malware must access its configurations and establish communication with the C2. Initially, the configuration is encrypted and the malware has the key hardcoded at a specific memory offset and of specific length (which are also hardcoded into it). Once the backdoor has taken ahold of the decryption key, (and it knows that the algorithm is RC4), it decrypts the configuration using this key (qwhvb^435h&*7).

4b. Communications

The configuration reveals the following information:

• Command and Control (C2) url: https://api[.]skycloudcenter[.]com/a/chat/s/70521ddf-a2ef-4adf-9cf0-6d8e24aaa821 (URL resolves to 61.4.102.97)
• Name of the module: BluetoothService
• User agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.4044.92 Safari/537.36

Before comms start, the malware has already:

1. Resolved networking APIs via API hashing
2. Loaded required DLLs
3. Initialized runtime structures and configurations.

To blend in with the normal traffic, C2 server and backdoor communicates in HTTP making it look like normal windows application traffic. 

When the Chrysalis backdoor runs, it interprets command-line arguments and, if none or only specific ones are present, it proceeds to install itself persistently before doing anything else. Its persistence behavior is controlled by the first process instance it launches without special flags.

Chrysalis differentiates its operational mode based on the command-line arguments passed at startup:

So, when it first runs without arguments, Chrysalis installs persistence and then restarts itself to actually run the malicious payload. Persistence is set up primarily via service creation or registry as a fall back mechanism.

Once done, a mutex(“mutual exclusion object” is a synchronization primitive used in programming to protect shared resources from concurrent access by multiple threads) is registered to ensure only one instance of this being executed; if another instance exists, malware is terminated. Else, if the check is clear, information gathering begins; malware queries for the following: 

• Current time
• Installed AVs
• OS version
• user name
• computer name

Next, the computer name, user name, OS version and string “1.01” are concatenated and the data is hashed. This value is later turned into its decimal ascii representation and used most likely as a unique identifier of the infected host.

Chrysalis’ first beacon typically includes:

• System details (hostname, OS, architecture)
• A unique identifier (GUID-based)
• A campaign/implant identifier
• Possibly other telemetry
  

This is packaged in an HTTP request to the C2 URL and All of this happens using Windows’ built-in HTTP stack, hence the traffic is encrypted using TLS which helps in hide content from network detection.

Conclusion

The discovery of the Chrysalis backdoor is a testament to the statement that the only true way to a secure environment is with continuous monitoring and detection. MMC Global helps organizations by providing MDR and 24/7 SOC (Security Operation Center) services to ensure that they’re protected in the ever-evolving landscape of cyber security.

Indicators of compromise (IoCs)

File indicators

Note: data may appear cut-off or hidden due to the string lengths in column 2. You can copy the full string by highlighting what is visible.

Network indicators

MITRE TTPs

*IOCs contributed by @AIexGP on X.

*IOCs taken from Rapid7’s blog “The Chrysalis Backdoor: A Deep Dive into Lotus Blossom’s toolkit”

Sources:

Rapid7’s Research: https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/

Notepad++ Press Release: https://notepad-plus-plus.org/news/hijacked-incident-info-update/

About The Author

Twaha Shah

I'm a CySA+ certified Security Engineer with over six years of experience in application security, vulnerability assessment, threat detection and AppSec. Also, one of the few specialists in Pakistan working extensively with Fortra’s security ecosystem, including Tripwire, Digital Guardian, Core Impact, Fortra Data Classifier, and Vulnerability Manager.