Chinese APT Lotus Blossom Delivers Chrysalis Backdoor

Rapid7 Labs and its MDR team disclosed a sophisticated campaign by Chinese APT Lotus Blossom that compromised the Notepad++ distribution infrastructure and delivered a previously undocumented backdoor, Chrysalis. The report details NSIS installer-based delivery, DLL sideloading, custom loaders including a Warbird-protected sample, and custom API-hashing and obfuscation techniques. The findings highlight targeted espionage against government, telecom, and critical infrastructure sectors and include actionable IOCs.
Key Points
- 1Identifies Chrysalis backdoor delivered via compromised Notepad++ installer and NSIS payloads
- 2Reveals Lotus Blossom's persistent espionage toolkit using custom loaders, Warbird obfuscation, and API hashing
- 3Advises defenders to monitor installer chains, DLL sideloading, and anomalous API hashing or reflective PE execution
Scoring Rationale
Strong, novel forensic findings from Rapid7 provide actionable detection guidance, limited by low relevance to core AI/ML practitioners.
Sources
Public references used for this report.
Practice with real Ad Tech data
90 SQL & Python problems · 15 industry datasets
250 free problems · No credit card
See all Ad Tech problems

