Warbird

Warbird is a loader associated with the Chinese espionage actor Lotus Blossom (also known as Lotus Panda and Billbug). Public reporting referenced in the provided content states Lotus Blossom is suspected of deploying the Chrysalis backdoor together with the Warbird loader in a Notepad++ supply-chain compromise. The available content ties Warbird to Windows-focused activity and specifically to a clipc.dll shellcode-loading technique. Detection content includes a YARA rule named "APT_LotusBlossom_Chrysalis_Loader_Warbird" designed to identify payload bytes in the first 0x490 bytes of clipc.dll memory mappings, including markers "EF BE AD DE" and "FE AF FE CA" within offsets 0..1167, and a query that scans VAD mappings for clipc.dll with execute/read protection. The artifact context indicates Warbird-related hunting is intended to scope IOCs from the publicly disclosed Notepad++ compromise. High-confidence related infrastructure and network indicators in the same Chrysalis/Notepad++ detection package include domains api.skycloudcenter.com, api.wiresguard.com, self-dns.it.com, cdncheck.it.com, and safe-dns.it.com; IPs 95.179.213.0, 59.110.7.32, 124.222.137.114, 45.76.155.202, 45.32.144.255, and 45.77.31.210; ports :8880 and :9999; and URI paths such as /update/v1, /api/update/v1, /api/FileUpload/submit, /api/getInfo/v1, /api/getBasicInfo/v1, /api/Metadata/submit, /api/Info/submit, /api/updateStatus/v1, /resolve, /dns-query, /a/chat/s/, /uffhxpSy, /3yZR31VK, and /list. The content does not provide further confirmed details on Warbird’s standalone infection vector, persistence, or payload functionality beyond its role as a loader in the Lotus Blossom/Chrysalis intrusion set.