{ "Event": { "analysis": "1", "date": "2026-02-03", "extends_uuid": "", "info": "The Chrysalis Backdoor: A Deep Dive into Lotus Blossom\u2019s toolkit", "publish_timestamp": "1770104495", "published": true, "threat_level_id": "2", "timestamp": "1770104329", "uuid": "390d27ed-5268-4eac-a3a3-768903fa5c1c", "Orgc": { "name": "CUDESO", "uuid": "56c42374-fdb8-4544-a218-41ffc0a8ab16" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"LOTUS PANDA\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Dynamic API Resolution - T1027.007\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1574.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Native API - T1106\"", "relationship_type": "" }, { "colour": "#e1d3d7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Reflective Code Loading - T1620\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Command Shell - T1059.003\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Service - T1543.003\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File Deletion - T1070.004\"", "relationship_type": "" } ], "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1770103709", "to_ids": true, "type": "ip-dst", "uuid": "2761d27b-30ca-40bc-a7cc-b8e00c85bb65", "value": "95.179.213.0" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1770103709", "to_ids": true, "type": "hostname", "uuid": "0612789a-af97-4a05-bf51-889e74a0e917", "value": "api.skycloudcenter.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1770103709", "to_ids": true, "type": "hostname", "uuid": "08bf24fb-7a9c-460f-856d-72a027885122", "value": "api.wiresguard.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1770103709", "to_ids": true, "type": "ip-dst", "uuid": "0d257bc9-0d54-4b80-8205-bd314bb4a65e", "value": "61.4.102.97" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1770103709", "to_ids": true, "type": "ip-dst", "uuid": "573e5103-bbb0-4cd1-b208-f2ae874369eb", "value": "59.110.7.32" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1770103709", "to_ids": true, "type": "ip-dst", "uuid": "4d8df666-02d4-4265-96c0-717c5c51bbe7", "value": "124.222.137.114" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1770104100", "to_ids": false, "type": "filename", "uuid": "8c8dad29-7a1a-4313-aa6e-269c5dce2609", "value": "%ALLUSERSPROFILE%\\USOShared\\conf.c" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1770104095", "to_ids": false, "type": "filename", "uuid": "1c9639f4-b214-405e-b979-4d0136389cb2", "value": "%ALLUSERSPROFILE%\\USOShared\\svchost.exe-nostdlib -run" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1770104179", "to_ids": false, "type": "comment", "uuid": "2d7a88e1-9a6a-4239-80c0-ee06282294db", "value": "retrieved shellcode is Cobalt Strike (CS) HTTPS beacon with http-get api.wiresguard.com/update/v1 and http-post api.wiresguard.com/api/FileUpload/submit urls." }, { "category": "Network activity", "comment": "CS beacon", "deleted": false, "disable_correlation": false, "timestamp": "1770104280", "to_ids": true, "type": "url", "uuid": "692a12a5-6d1c-42cb-a472-a8d523ecf52f", "value": "http://59.110.7.32:8880/uffhxpSy" }, { "category": "Network activity", "comment": "CS beacon", "deleted": false, "disable_correlation": false, "timestamp": "1770104280", "to_ids": true, "type": "url", "uuid": "555b3f0d-6e16-42bc-9ec1-60924ba3f23a", "value": "http://59.110.7.32:8880/api/getBasicInfo/v1" }, { "category": "Network activity", "comment": "CS beacon", "deleted": false, "disable_correlation": false, "timestamp": "1770104280", "to_ids": true, "type": "url", "uuid": "f0816fe8-72fd-43e6-a029-f5dabd55fecf", "value": "http://59.110.7.32:8880/api/Metadata/submit" }, { "category": "Network activity", "comment": "CS beacon", "deleted": false, "disable_correlation": false, "timestamp": "1770104280", "to_ids": true, "type": "url", "uuid": "e355f62c-f79a-47f4-a4a8-0739e9d9b792", "value": "ttp://124.222.137.114:9999/3yZR31VK" }, { "category": "Network activity", "comment": "CS beacon", "deleted": false, "disable_correlation": false, "timestamp": "1770104280", "to_ids": true, "type": "url", "uuid": "0a718658-5f3f-4b73-96d1-1101089bc650", "value": "http://124.222.137.114:9999/api/updateStatus/v1" }, { "category": "Network activity", "comment": "CS beacon", "deleted": false, "disable_correlation": false, "timestamp": "1770104280", "to_ids": true, "type": "url", "uuid": "f5602798-b546-49a1-8e97-24b5da2bb424", "value": "http://124.222.137.114:9999/api/Info/submit" }, { "category": "Network activity", "comment": "CS beacon", "deleted": false, "disable_correlation": false, "timestamp": "1770104280", "to_ids": true, "type": "url", "uuid": "a4547336-6379-43b1-b618-7e6f97922d0c", "value": "https://api.wiresguard.com/users/system" }, { "category": "Network activity", "comment": "CS beacon", "deleted": false, "disable_correlation": false, "timestamp": "1770104280", "to_ids": true, "type": "url", "uuid": "54e85bfe-0723-46cf-a2a0-1658aff718cb", "value": "https://api.wiresguard.com/api/getInfo/v1" }, { "category": "Network activity", "comment": "CS beacon", "deleted": false, "disable_correlation": false, "timestamp": "1770104280", "to_ids": true, "type": "url", "uuid": "04d3e41e-3f3d-475f-8e49-a28aa6df4217", "value": "https://api.wiresguard.com/api/Info/submit" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1770104308", "to_ids": false, "type": "link", "uuid": "19ea22ea-e2cd-4b17-b83c-aa024095f171", "value": "https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1770104329", "to_ids": false, "type": "link", "uuid": "33decc6a-248f-4553-a8a9-64770055164f", "value": "https://notepad-plus-plus.org/news/hijacked-incident-info-update/" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "24", "timestamp": "1770103210", "uuid": "894c6e99-b70d-40d4-a77e-7ed2dd66afe4", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "filename", "timestamp": "1770104132", "to_ids": false, "type": "filename", "uuid": "3571805e-31d3-4c60-bb84-65d4f3fa5eeb", "value": "update.exe" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1770103210", "to_ids": true, "type": "sha256", "uuid": "72276c5d-05b6-40f5-9479-350c16fd4155", "value": "a511be5164dc1122fb5a7daa3eef9467e43d8458425b15a640235796006590c9" } ] }, { "comment": "NSIS Installation script", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "24", "timestamp": "1770103947", "uuid": "7e485c4c-2224-4d82-91ab-71f621b3e295", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1770103227", "to_ids": true, "type": "sha256", "uuid": "83042c28-c66c-48c5-a375-c362d8adf840", "value": "8ea8b83645fba6e23d48075a0d3fc73ad2ba515b4536710cda4f1f232718f53e" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "filename", "timestamp": "1770104132", "to_ids": false, "type": "filename", "uuid": "8bcf5242-8781-4a82-a482-d6b607735471", "value": "[NSIS.nsi]" } ] }, { "comment": "renamed Bitdefender Submission Wizard used for DLL sideloading", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "24", "timestamp": "1770103967", "uuid": "ff1837e3-ee6f-4cd4-8aa8-b0f965c63804", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "filename", "timestamp": "1770104132", "to_ids": false, "type": "filename", "uuid": "9d0adc5b-a72b-4664-bc92-81e8c0edf539", "value": "BluetoothService.exe" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1770103261", "to_ids": true, "type": "sha256", "uuid": "8aac88b5-210e-4ef2-9e3a-596dba3add35", "value": "2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "24", "timestamp": "1770103310", "uuid": "5730645a-8006-4e00-936e-8c71f1f43744", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1770103296", "to_ids": true, "type": "sha256", "uuid": "b1cb6c86-c32c-4e6b-8dd7-2a75e5465b2b", "value": "77bfea78def679aa1117f569a35e8fd1542df21f7e00e27f192c907e61d63a2e" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "filename", "timestamp": "1770103310", "to_ids": false, "type": "filename", "uuid": "894d6422-111e-47bd-83c6-12cce0d15f02", "value": "BluetoothService" } ] }, { "comment": "Malicious DLL sideloaded by BluetoothService.exe", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "24", "timestamp": "1770104001", "uuid": "f2d8ab74-19c5-4029-a31b-c6c44e051f6d", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "filename", "timestamp": "1770104132", "to_ids": false, "type": "filename", "uuid": "d587b55b-d00c-45c8-9b62-fd44c23474ca", "value": "log.dll" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1770103328", "to_ids": true, "type": "sha256", "uuid": "8388ccc3-66f7-4c8c-ad6f-89fa6daa3baa", "value": "3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "24", "timestamp": "1770103351", "uuid": "dad56fca-9f61-4127-95ac-63edb68bd170", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "filename", "timestamp": "1770104132", "to_ids": false, "type": "filename", "uuid": "0c5374b5-b59c-4e56-b1c6-f6bc6725cc54", "value": "u.bat" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1770103351", "to_ids": true, "type": "sha256", "uuid": "c828a90b-1e5b-4de2-92cb-2c64e76529dc", "value": "9276594e73cda1c69b7d265b3f08dc8fa84bf2d6599086b9acc0bb3745146600" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "24", "timestamp": "1770103364", "uuid": "cdb3b604-894b-4b45-83ac-8945f5f4bf2c", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "filename", "timestamp": "1770104132", "to_ids": false, "type": "filename", "uuid": "8e90f97e-f7ac-4fc3-b1a6-62c488e06e1f", "value": "conf.c" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1770103364", "to_ids": true, "type": "sha256", "uuid": "a4cbc39e-011b-4e36-85eb-15966e5c2827", "value": "f4d829739f2d6ba7e3ede83dad428a0ced1a703ec582fc73a4eee3df3704629a" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "24", "timestamp": "1770103377", "uuid": "e5738ead-a387-4a46-ac9b-a3e67930d7c4", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "filename", "timestamp": "1770103377", "to_ids": true, "type": "filename", "uuid": "b48376c2-918f-402d-95cc-3fc6c6c8f430", "value": "libtcc.dll" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1770103377", "to_ids": true, "type": "sha256", "uuid": "d884e684-0031-48cd-91ca-1ead758e4d0c", "value": "4a52570eeaf9d27722377865df312e295a7a23c3b6eb991944c2ecd707cc9906" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "24", "timestamp": "1770103400", "uuid": "68595dbf-0631-4bea-b12d-7d5512735361", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1770103389", "to_ids": true, "type": "sha256", "uuid": "9b7e190e-5b91-462b-bd55-44c170deb639", "value": "831e1ea13a1bd405f5bda2b9d8f2265f7b1db6c668dd2165ccc8a9c4c15ea7dd" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "filename", "timestamp": "1770103400", "to_ids": false, "type": "filename", "uuid": "dddc3688-b978-41e1-b738-8547f912e253", "value": "admin" } ] }, { "comment": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4472.114 Safari/537.36", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "24", "timestamp": "1770104208", "uuid": "cae74c2d-928a-4c87-a30d-41aef5557eca", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1770103414", "to_ids": true, "type": "sha256", "uuid": "a770ee34-ab48-4a50-a870-c9ce8f7fe450", "value": "0a9b8df968df41920b6ff07785cbfebe8bda29e6b512c94a3b2a83d10014d2fd" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "filename", "timestamp": "1770103431", "to_ids": false, "type": "filename", "uuid": "cf27ef9d-b4a5-4bb5-9438-a2829cf1624f", "value": "loader1" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "24", "timestamp": "1770103594", "uuid": "d9f9ff6b-a517-4aa5-8f83-5105bd77d74d", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1770103585", "to_ids": true, "type": "sha256", "uuid": "b48a4a92-14f6-494a-a726-e4f5d2cf3eca", "value": "4c2ea8193f4a5db63b897a2d3ce127cc5d89687f380b97a1d91e0c8db542e4f8" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "filename", "timestamp": "1770103594", "to_ids": false, "type": "filename", "uuid": "050115aa-7acd-4e34-8a64-b20404831ca2", "value": "uffhxpSy" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "24", "timestamp": "1770103618", "uuid": "07818411-9297-45eb-a48b-ac10655565dc", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1770103607", "to_ids": true, "type": "sha256", "uuid": "686d853e-a856-48a5-9ff4-60a1fca7e53f", "value": "e7cd605568c38bd6e0aba31045e1633205d0598c607a855e2e1bca4cca1c6eda" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "filename", "timestamp": "1770103618", "to_ids": false, "type": "filename", "uuid": "eb746454-6192-4511-909d-b30c1be85a40", "value": "loader2" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "24", "timestamp": "1770103640", "uuid": "7df439a4-4343-49e1-ae22-160774f85aa4", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1770103629", "to_ids": true, "type": "sha256", "uuid": "14f984e4-fea3-49a2-903f-da2b51d73d31", "value": "078a9e5c6c787e5532a7e728720cbafee9021bfec4a30e3c2be110748d7c43c5" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "filename", "timestamp": "1770103640", "to_ids": false, "type": "filename", "uuid": "fe8ad949-5571-44a7-9177-308c9866a0bd", "value": "3yzr31vk" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "24", "timestamp": "1770103655", "uuid": "f7497e70-687e-462a-b534-03d22b526e53", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "filename", "timestamp": "1770104132", "to_ids": false, "type": "filename", "uuid": "4a5e982c-a62a-4968-8521-d0afb828e04a", "value": "ConsoleApplication2.exe" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1770103655", "to_ids": true, "type": "sha256", "uuid": "aef62bc0-5321-4c77-8152-c6302de8f66e", "value": "b4169a831292e245ebdffedd5820584d73b129411546e7d3eccf4663d5fc5be3" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "24", "timestamp": "1770103684", "uuid": "a78b6b83-80c9-4e02-a75d-67812134a8a7", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1770103669", "to_ids": true, "type": "sha256", "uuid": "78be3b7a-fb30-475e-bb9a-54e2739065c3", "value": "7add554a98d3a99b319f2127688356c1283ed073a084805f14e33b4f6a6126fd" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "filename", "timestamp": "1770103684", "to_ids": false, "type": "filename", "uuid": "7fd02fe0-d814-456b-ad83-d0fb56cbaa8f", "value": "system" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "24", "timestamp": "1770103697", "uuid": "31b3a31d-9859-414b-adf8-fc63a16b6a78", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "filename", "timestamp": "1770104132", "to_ids": false, "type": "filename", "uuid": "1193327c-3d6b-4e5a-8d39-cdb0aa83d3e9", "value": "s047t5g.exe" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1770103697", "to_ids": true, "type": "sha256", "uuid": "46564efe-055f-42d4-8105-9dd7b2e0c731", "value": "fcc2765305bcd213b7558025b2039df2265c3e0b6401e4833123c461df2de51a" } ] } ], "EventReport": [ { "uuid": "6708e715-88ec-4c0f-8b56-d0e5b4f912cb", "name": "Report from - https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/ (1770102967)", "content": "# The Chrysalis Backdoor: A Deep Dive into Lotus Blossom\u2019s toolkit\r\n\r\nIvan FeiglFeb 2, 2026|Last updated on Feb 2, 2026|xx min readDISCOVER RAPID7 MDRRapid7 Labs, together with the Rapid7 MDR team, has uncovered a sophisticated campaign attributed to the Chinese APT group Lotus Blossom. Active since 2009, the group is known for its targeted espionage campaigns primarily impacting organizations across Southeast Asia and more recently Central America, focusing on government, telecom, aviation, critical infrastructure, and media sectors.\r\n\r\nOur investigation identified a security incident stemming from a sophisticated compromise of the infrastructure hosting Notepad++, which was subsequently used to deliver a previously undocumented custom backdoor, which we have dubbed Chrysalis.\r\n\r\n\u2800\r\n\r\n *Figure 1: Telemetry on the custom backdoor samples* \u2800\r\n\r\nBeyond the discovery of the new implant, forensic evidence led us to uncover several custom loaders in the wild. One sample, *\u201cConsoleApplication2.exe\u201d*, stands out for its use of Microsoft Warbird, a complex code protection framework, to hide shellcode execution. This blog provides a deep technical analysis of Chrysalis, the Warbird loader, and the broader tactic of mixing straightforward loaders with obscure, undocumented system calls.\r\n\r\n## Initial access vector\r\n\r\nForensic analysis conducted by the MDR team suggests that the initial access vector aligns with publicly disclosed abuse of the Notepad++ distribution infrastructure. While reporting references both plugin replacement and updater-related mechanisms, no definitive artifacts were identified to confirm exploitation of either. The only confirmed behavior is that execution of *\u201cnotepad++.exe\u201d* and subsequently *\u201cGUP.exe\u201d* preceded the execution of a suspicious process *\u201cupdate.exe\u201d* which was downloaded from 95.179.213.0.\r\n\r\n## Analysis of update.exe\r\n\r\n *Figure 2: Execution diagram of update.exe* \u2800\r\n\r\nAnalysis of *\u201cupdate.exe\u201d* shows the file is actually an NSIS installer, a tool commonly used by Chinese APT to deliver initial payload.\r\n\r\nThe following are the extracted NSIS installer files:\r\n\r\n#### [NSIS].nsi\r\n\r\n\r\n* **Description:** NSIS Installation script\r\n* **SHA-256:** 8ea8b83645fba6e23d48075a0d3fc73ad2ba515b4536710cda4f1f232718f53e\r\n\r\n#### BluetoothService.exe\r\n\r\n\r\n* **Description:** renamed Bitdefender Submission Wizard used for DLL sideloading\r\n\r\n\r\n* **SHA-256:** 2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924\r\n\r\n#### BluetoothService\r\n\r\n\r\n* **Description:** Encrypted shellcode\r\n* **SHA-256:** 77bfea78def679aa1117f569a35e8fd1542df21f7e00e27f192c907e61d63a2e\r\n\r\n#### log.dll\r\n\r\n\r\n* **Description:** Malicious DLL sideloaded by BluetoothService.exe\r\n* **SHA-256:** 3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad\r\n\r\n\u2800\r\n\r\nInstallation script is instructed to create a new directory *\u201cBluetooth\u201d*in *\u201c%AppData%\u201d*folder, copy the remaining files there, change the attribute of the directory to **HIDDEN**and execute *BluetoothService.exe**.*\r\n\r\n### DLL sideloading\r\n\r\nShortly after the execution of *BluetoothService.exe*,which is actually a renamed legitimate *Bitdefender Submission Wizard* abused for **DLL sideloading**, a malicious *log.dll* was placed alongside the executable, causing it to be loaded instead of the legitimate library. Two exported functions from *log.dll* are called by *Bitdefender Submission Wizard*: **LogInit**and **LogWrite**.\r\n\r\n### LogInit and LogWrite - Shellcode load, decrypt, execute\r\n\r\n**LogInit** loads *BluetoothService*into the memory of the running process.\r\n\r\n**LogWrite**has a more sophisticated goal \u2013 to decrypt and execute the shellcode.\r\n\r\nThe decryption routine implements a custom runtime decryption mechanism used to unpack encrypted data in memory. It derives key material from previously calculated hash value and applies a stream\u2011cipher\u2013like algorithm rather than standard cryptographic APIs. At a high level, the decryption routine relies on a linear congruential generator, with the standard constants **0x19660D** and **0x3C6EF35F**, combined with several basic data transformation steps to recover the plaintext payload.\r\n\r\nOnce decrypted, the payload replaces the original buffer and all temporary memory is released. Execution is then transferred to this newly decrypted stage, which is treated as executable code and invoked with a predefined set of arguments, including runtime context and resolved API information.\r\n\r\n *Figure 3: LogWrite internals* ### IAT resolution\r\n\r\n**Log.dll**implements an API hashing subroutine to resolve required APIs during execution, reducing the likelihood of detection by antivirus and other security solutions.\r\n\r\n### API hashing subroutine\r\n\r\nThe hashing algorithm will hash export names using **FNV\u20111a**(fnv-1a hash 0x811C9DC5, fnv-1a prime 0x1000193 observed), then apply a **MurmurHash\u2011style avalanche finalizer**(murmur constant 0x85EBCA6B observed), and compare the result to a salted target hash.\r\n\r\n## Analysis of the Chrysalis backdoor\r\n\r\nThe shellcode, once decrypted by *log.dll**,* is a custom, feature-rich backdoor we've named \u201c*Chrysalis*\u201d. Its wide array of capabilities indicates it is a sophisticated and permanent tool, not a simple throwaway utility. It uses legitimate binaries to sideload a crafted DLL with a generic name, which makes simple filename-based detection unreliable. It relies on custom API hashing in both the loader and the main module, each with its own resolution logic. This is paired with layered obfuscation and a fairly structured approach to C2 communication. Overall, the sample looks like something that has been actively developed over time, and we\u2019ll be keeping an eye on this family and any future variants that show up.\r\n\r\n### Decryption of the main module\r\n\r\nOnce the execution is passed to decrypted shellcode from *log.dll**,* malware starts with decryption of the main module via a simple combination of XOR, addition and subtraction operations, with a hardcoded key **gQ2JR&9;**. See below the pseudocode of decryption routine:\r\n\r\n\u2800\r\n\r\nchar XORKey[8] = \"gQ2JR&9;\"; DWORD counter = 0; DWORD pos = BufferPosition; while (counter < size) { BYTE k = XORKey[counter & 7]; BYTE x = encrypted[pos]; x = x + k; x = x ^ k; x = x - k; decrypted[pos] = x; pos++; counter++; }\u2800\r\n\r\nXOR operation is performed 5 times in total, suggesting a section layout similar to PE format. Following the decryption, malware will proceed to yet another dynamic IAT resolution using **LoadLibraryA**to acquire a handle to **Kernel32.dll** and **GetProcAddress**. Once exports are resolved, the jump is taken to the main module.\r\n\r\n### Main module\r\n\r\nThe decrypted module is a reflective **PE-like** module that executes the **MSVC CRT**initialization sequence before transferring control to the program\u2019s main entry point. Once in the Main function, the malware will dynamically load DLLs in the following order: **oleaut32.dll**, **advapi32.dll**, **shlwapi.dll**, **user32.dll**, **wininet.dll**,**ole32.dll** and **shell32.dll**.\r\n\r\nNames of targeted DLLs are constructed on the run, using two separate subroutines. These two subroutines implement a custom, position-dependent character obfuscation scheme. Each character is transformed using a combination of bit rotations, conditional XOR operations, and index-based arithmetic, ensuring that identical characters encrypt differently depending on their position. The second routine reverses this process at runtime, reconstructing the original plaintext string just before it is used. The purpose of these two functions is not only to conceal strings, but also to intentionally complicate static analysis and hinder signature-based detection.\r\n\r\nAfter the DLL name is reconstructed, the Main module implements another, more sophisticated API hashing routine.\r\n\r\n### API hashing subroutine\r\n\r\n *Figure 4: API hashing diagram* \u2800\r\n\r\nThe first difference between this and the API hashing routine used by the loader is that this subroutine accepts only a single argument: the hash of the target API. To obtain the DLL handle, the malware walks the PEB to reach the **InMemoryOrderModuleList**, then parses each module\u2019s export table, skipping the main executable, until it resolves the desired API. Instead of relying on common hashing algorithms, the routine employs multi-stage arithmetic mixing with constants of **MurmurHash-style finalization**. API names are processed in 4-byte blocks using multiple rotation and multiplication steps, followed by a final diffusion phase before comparison with the supplied hash. This design significantly complicates static recovery of resolved APIs and reduces the effectiveness of traditional signature-based detection. As a fallback, the resolver supports direct resolution via **GetProcAddress** if the target hash is not found through the hashing method. The pointer to **GetProcAddress** is obtained earlier during the \u201cmain module preparation\u201d stage.\r\n\r\n\u2800\r\n\r\n *Figure 5: API hashing internals* ### Config decryption\r\n\r\nThe next step in the malware\u2019s execution is to decrypt the configuration. Encrypted configuration is stored in the *BluetoothService* file at offset 0x30808 with the size of 0x980. Algorithm for the decryption is **RC4**with the key **qwhvb^435h&*7**. This revealed the following information:\r\n\r\n\r\n* **Command and Control (C2) url**: **https://api.skycloudcenter.com/a/chat/s/70521ddf-a2ef-4adf-9cf0-6d8e24aaa821**\r\n* **Name of the module**: **BluetoothService**\r\n* **User agent**: **Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.4044.92 Safari/537.36**\r\n\r\nThe URL structure of the C2 is interesting, especially the section /a/chat/s/{GUID}), which appears to be the identical format used by Deepseek API chat endpoints. It looks like the actor is mimicking the traffic to stay below the radar. \r\n\r\nDecrypted configuration doesn\u2019t give much useful information besides the C2. The name of the module is too generic and the user agent belongs to Google Chrome browser. The URL resolves to **61.4.102.97**, IP address based in**Malaysia**. At the time of the writing of this blog, no other file has been seen to communicate with this IP and URL.\r\n\r\n#### Persistence and command-line arguments\r\n\r\nTo determine the next course of action, malware checks command-line arguments highlighted in Table 1 and chooses one of four potential paths. If the amount of the command-line arguments is greater than two, the process will exit. If there is no additional argument, persistence is set up primarily via service creation or registry as a fall back mechanism.\r\n\r\nSee Table 2 below:\r\n\r\n**Argument**\r\n\r\n**Mode**\r\n\r\n**Action**\r\n\r\n**(None)**\r\n\r\nInstallation\r\n\r\nInstalls persistence (Service or Registry) pointing to binary with -i flag, then terminates.\r\n\r\n**-i**\r\n\r\nLauncher\r\n\r\nSpawns a new instance of itself with the -k flag via ShellExecuteA, then terminates.\r\n\r\n**-k**\r\n\r\nPayload\r\n\r\nSkips installation checks and executes the main malicious logic (C2 & Shellcode).\r\n\r\n\u2800\r\n\r\nWith the expected arguments present, the malware proceeds to its primary functionality - to gather information about the infected asset and initiate the communication with C2.\r\n\r\n### Information gathering and C2 communication\r\n\r\nA mutex **Global\\\\Jdhfv\\_1.0.1** is registered to enforce single instance execution on the host. If it already exists, malware is terminated. If the check is clear, information gathering begins by querying for the following: current time, installed AVs, OS version, user name and computer name. Next, computer name, user name, OS version and string **1.01**are concatenated and the data are hashed using **FNV-1A**. This value is later turned into its decimal ascii representation and used most likely as a unique identifier of the infected host. \r\n\r\nFinal buffer uses a dot as delimiter and follows this pattern: \r\n\r\n\u2800\r\n\r\n....<127.0.0.1>..\u2800\r\n\r\nThe last piece of information added to the beginning of the buffer is a string **4Q**. The buffer is then **RC4** encrypted with the key **vAuig34%^325hGV**.\r\n\r\nFollowing data encryption, the malware establishes an internet connection using previously mentioned user agent and C2 **api.skycloudcenter.com** over port **443**. Data is then transferred via **HttpSendRequestA**using the **POST**method. Response from the server is then read to a temporary buffer which is later decrypted using the same key **vAuig34%^325hGV**.\r\n\r\n#### Response and command processing\r\n\r\n***Note:*** C2 server was already offline during the initial analysis, preventing recovery of any network data. As a result, and due to the complexity of the malware, parts of the following analysis may contain minor inaccuracies.\r\n\r\nThe response from the C2 undergoes multiple checks before further processing. First, the HTTP response code is compared against the hardcoded value **200**(0xC8),indicating a successful request, followed by a validation of the associated WinInet handle to ensure no error occurred. The malware then verifies the integrity of the received payload and execution proceeds only if at least one valid structure is detected. Next, malware looks into the response data for a small tag to determine what to do next. Tag is used as a condition for a switch statement with 16 possible cases. The default case will simply set up a flag to **TRUE**. Setting up this flag will result in completely jumping out of the switch. Other switch cases includes following options:\r\n\r\n\u2800\r\n\r\n**Char representation**\r\n\r\n**Hex representation**\r\n\r\n**Purpose**\r\n\r\n**4T**\r\n\r\n**0x3454**\r\n\r\nSpawn interactive shell\r\n\r\n**4U**\r\n\r\n**0x3455**\r\n\r\nSend \u2018OK\u2019 to C2\r\n\r\n**4V**\r\n\r\n**0x3456**\r\n\r\nCreate process\r\n\r\n**4W**\r\n\r\n**0x3457**\r\n\r\nWrite file to disk\r\n\r\n**4X**\r\n\r\n**0x3458**\r\n\r\nWrite chunk to open file\r\n\r\n**4Y**\r\n\r\n**0x3459**\r\n\r\nRead & send data\r\n\r\n**4Z**\r\n\r\n**0x345A**\r\n\r\nBreak from switch\r\n\r\n**4\\\\**\r\n\r\n**0x345C**\r\n\r\nUninstall / Clean up\r\n\r\n**4]**\r\n\r\n**0x345D**\r\n\r\nSleep\r\n\r\n**4\\_**\r\n\r\n**0x345F**\r\n\r\nGet info about logical drives\r\n\r\n**4`**\r\n\r\n**0x3460**\r\n\r\nEnumerate files information\r\n\r\n**4a**\r\n\r\n**0x3661**\r\n\r\nDelete file \r\n\r\n**4b**\r\n\r\n**0x3662**\r\n\r\nCreate directory\r\n\r\n**4c**\r\n\r\n**0x3463**\r\n\r\nGet file from C2\r\n\r\n**4d**\r\n\r\n**0x3464**\r\n\r\nSend file to C2\r\n\r\n\u2800\r\n\r\n**4T** - The malware implements a fully interactive **cmd.exe reverse shell** using redirected pipes. Incoming commands from the C2 are converted from **UTF\u20118** to the system **OEM** code page before being written to the shell\u2019s standard input, while a dedicated thread continuously reads shell output, converts it from OEM encoding to UTF\u20118 using **GetOEMCP** API, and forwards the result back to the C2.\r\n\r\n**4V**- This option allows remote process execution by invoking **CreateProcessW** on a C2-supplied command line and relaying execution status back to the C2.\r\n\r\n**4W**- This option implements a remote file write capability, parsing a structured response containing a destination path and file contents, converting encodings as necessary, **writing the data to disk**, and **returning a formatted status message** to the command-and-control server.\r\n\r\n**4X**- Similar to the previous switch, it supports a remote file-write capability, allowing the C2 to drop arbitrary files on the victim system by supplying a **UTF-8 filename and associated data blob**.\r\n\r\n**4Y** - Switch implements a remote file-read capability. It opens a specified file with, retrieves its size, reads the entire contents into memory, and **transmits the data back to the C2**. \r\n\r\n**4\\\\**- The option implements a full **self-removal mechanism**. It deletes auxiliary payload files, removes persistence artifacts from both the **Windows Service registry hive** and **the Run key**, generates and executes a temporary batch file **u.bat**to delete the running executable after termination, and finally removes the batch script itself. \r\n\r\n**4\\_**- Here malware enumerates information about logical drivers using **GetLogicalDriveStringsA** and **GetDriveTypeA**APIs and sends the information back to the C2.\r\n\r\n**4`**- This switch option shares similarities with previously analyzed data exfiltration function - **4Y**. However, its primary purpose differs. Instead of transmitting preexisting data, it **enumerates files** within a specified directory, **collects per-file metadata** (timestamps, size, and filename), serializes the results into a custom buffer format, and sends the aggregated listing to the C2.\r\n\r\n**4a - 4b - 4c - 4d**- In the last 4 cases, malware implements a custom file transfer protocol over its C2 channel. Commands **4a** and **4b** act as control messages used to initialize file **download**and **upload operations** respectively, including file paths, offsets, and size validation. Once initialized, the actual data transfer occurs in a chunked fashion using commands **4c (download)**and **4d (upload)****.** Each chunk is wrapped in a fixed-size 40-byte response structure, validated for successful HTTP status and correct structure count before processing. Transfers continue until the C2 signals completion via a non-zero termination flag, at which point file handles and buffers are released.\r\n\r\n### Additional artifacts discovered on the infected host\r\n\r\nDuring the initial forensics analysis of the affected asset, Rapid7\u2019s MDR team observed execution of following command:\r\n\r\n\u2800\r\n\r\nC:\\ProgramData\\USOShared\\svchost.exe-nostdlib -run C:\\ProgramData\\USOShared\\conf.c\u2800\r\n\r\nThe retrieved folder *\u201cUSOShared\u201d*from the infected asset didn\u2019t contain svchost.exe but it contained *\u201clibtcc.dll\u201d* and *\u201cconf.c\u201d*. The hash of the binary didn\u2019t match any known legitimate version but the command line arguments and associated *\u201clibtcc.dll\u201d* suggested that svchost.exe is in fact renamed Tiny-C-Compiler. To confirm this, we replicated the steps of the attacker successfully loaded **shellcode** from *\u201cconf.c\u201d* into the memory of *\u201ctcc.exe\u201d*, confirming our previous hypothesis.\r\n\r\n#### **Analysis of conf.c**\r\n\r\nThe C source file contains a fixed size (836) char buffer containing shellcode bytes which is later casted to a function pointer and invoked. The shellcode is consistent with 32-bit version of Metasploit\u2019s block API.\r\n\r\nThe shellcode loads **Wininet.dll** using **LoadLibraryA**, resolves Internet-related APIs such as **InternetConnectA**and **HttpSendRequestA**, and downloads a file from **api.wiresguard.com/users/admin**. The file is read into a newly allocated buffer, and execution is then transferred to the start of the 2000-byte second-stage shellcode. \r\n\r\n\u2800\r\n\r\n *Figure 6: Shellcode decryption stub* \u2800\r\n\r\nThis stub is responsible for decrypting the next payload layer and transferring execution to it. It uses a **rolling XOR-based**decryption loop before jumping directly to the decrypted code.\r\n\r\nA quick look into the decrypted buffer revealed an interesting blob with a repeated string **CRAZY**, hinting at an additional XORed layer, later confirmed by a quick test.\r\n\r\n\u2800\r\n\r\n *Figure 7: Repeated XOR key \u201cCRAZY\u201d* \u2800\r\n\r\n *Figure 8: Decrypted configuration* \u2800\r\n\r\nParsing of the decrypted configuration data confirms that retrieved shellcode is **Cobalt Strike (CS) HTTPS beacon**with http-get **api.wiresguard.com/update/v1**and http-post **api.wiresguard.com/api/FileUpload/submit** urls.\r\n\r\nAnalysis of the initial evidence revealed a consistent execution chain: a loader embedding **Metasploit block\\_api** shellcode that downloads a **Cobalt Strike beacon**. The unique decryption stub and configuration XOR key **CRAZY** allowed us to pivot into an external hunt, uncovering additional loader variants.\r\n\r\n\u2800\r\n\r\n *Figure 9: Execution flow followed by conf.c and other loaders* #### Variation of loaders and shellcode\r\n\r\nIn the last year, four similar files were uploaded to public repositories.\r\n\r\n#### Loader 1:\r\n\r\n**SHA-256:** 0a9b8df968df41920b6ff07785cbfebe8bda29e6b512c94a3b2a83d10014d2fd\r\n\r\n**Shellcode SHA-256:** 4c2ea8193f4a5db63b897a2d3ce127cc5d89687f380b97a1d91e0c8db542e4f8\r\n\r\n**User Agent:** Mozilla/5.0 (Macintosh; Intel Mac OS X 10\\_15\\_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4472.114 Safari/537.36\r\n\r\n**URL hosting CS beacon:** http://59[.]110.7.32:8880/uffhxpSy\r\n\r\n**CS http-get URL:** http://59[.]110.7.32:8880/api/getBasicInfo/v1\r\n\r\n**CS http-post URL:** http://59[.]110.7.32:8880/api/Metadata/submit\r\n\r\n#### Loader 2:\r\n\r\n**SHA-256:** e7cd605568c38bd6e0aba31045e1633205d0598c607a855e2e1bca4cca1c6eda\r\n\r\n**Shellcode SHA-256:** 078a9e5c6c787e5532a7e728720cbafee9021bfec4a30e3c2be110748d7c43c5\r\n\r\n**User Agent:** Mozilla/5.0 (Macintosh; Intel Mac OS X 10\\_15\\_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4472.114 Safari/537.36\r\n\r\n**URL hosting CS beacon:** http://124[.]222.137.114:9999/3yZR31VK\r\n\r\n**CS http-get URL:** http://124[.]222.137.114:9999/api/updateStatus/v1\r\n\r\n**CS http-post URL:** http://124[.]222.137.114:9999/api/Info/submit\r\n\r\n#### Loader 3:\r\n\r\n**SHA-256:** b4169a831292e245ebdffedd5820584d73b129411546e7d3eccf4663d5fc5be3\r\n\r\n**Shellcode SHA-256:** 7add554a98d3a99b319f2127688356c1283ed073a084805f14e33b4f6a6126fd\r\n\r\n**User Agent:** Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36\r\n\r\n**URL hosting CS beacon:** https://api[.]wiresguard[.]com/users/system\r\n\r\n**CS http-get URL:** https://api[.]wiresguard[.]com/api/getInfo/v1\r\n\r\n**CS http-post URL:** https://api[.]wiresguard[.]com/api/Info/submit\r\n\r\n#### Loader 4:\r\n\r\n**SHA-256:** fcc2765305bcd213b7558025b2039df2265c3e0b6401e4833123c461df2de51a\r\n\r\n**Shellcode SHA-256:** 7add554a98d3a99b319f2127688356c1283ed073a084805f14e33b4f6a6126fd\r\n\r\n**User Agent:** Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36\r\n\r\n**URL hosting CS beacon:** https://api[.]wiresguard[.]com/users/system\r\n\r\n**CS http-get URL:** https://api[.]wiresguard[.]com/api/getInfo/v1\r\n\r\n**CS http-post URL:** https://api[.]wiresguard[.]com/api/Info/submit\r\n\r\n\u2800\r\n\r\nFrom all the loaders we analyzed, **Loader 3**piqued our interest for three reasons - shellcode **encryption** technique, **execution** ,and **almost identical C2**to beacon that was found on the infected asset. All the previous samples used a pretty common technique to execute the shellcode - decrypt embedded shellcode in user space, change the protection of memory region to executable state, and invoke decrypted code via **CreateThread**/ **CreateRemoteThread**; Loader 3 (original name *\u201cConsoleApplication2.exe\u201d*) violates this approach. \r\n\r\n#### Analysis of Loader 3 - ConsoleApplication2.exe\r\n\r\nAt the first glance, the logic of the sample is straightforward: Load the DLL **clipc.dll**, overwrite first 0x490 bytes, change the protection to **PAGE\\_EXECUTE\\_READ** (0x20), and then invoke **NtQuerySystemInformation****.** Two interesting notes to highlight here - bytes copied into the memory region of clipc.dll are not valid shellcode and **NtquerySystemInformation** is used to \u201cRetrieve the specified system information\u201d, not to execute code.\r\n\r\n\u2800\r\n\r\n *Figure 10: Snippet from ConsoleApplication2.exe* \u2800\r\n\r\nLooking into the copied data reveals two \u201cmagic numbers\u201d **DEADBEEF**and **CAFEAFE**, but nothing else. However, the execution of shellcode is somehow successful, so what\u2019s going on?\r\n\r\n\u2800\r\n\r\n *Figure 11: Data copied into clipc.dll* \u2800\r\n\r\nAccording to the official documentation, the first parameter of NtQuerySystemInformation is of type **SYSTEM\\_INFORMATION\\_CLASS**which specifies the category of system information to be queried. During static analysis in **IDA Pro**, this parameter was initially identified as **SystemExtendedProcessInformation|0x80**but looking for this value in MSDN and other public references didn\u2019t provide any explanation on how the execution was achieved. But, searching for the original value passed to the function **(0xB9)**uncovered something interesting. The following blog by DownWithUp covers Microsoft Warbird, which could be described as an internal code protection and obfuscation framework**.** These resources confirm IDA misinterpretation of the argument which should be **SystemCodeFlowTransition**, a necessary argument to invoke Warbird functionality. Additionally, DownWithUp\u2019s blog post mentioned the possible operations:\r\n\r\n\u2800\r\n\r\n *Figure 12: Warbird operations documented by DownWithUp* \u2800\r\n\r\nReferring to the snippet we saw from *\u201cConsoleApplication2.exe\u201d*, the operation is equal to **WbHeapExecuteCall**which gives us the answer on how the shellcode gained execution. Thanks to work of other researchers, we also know that this technique only works if the code resides inside of memory of Microsoft signed binary, thus revealing why **clipc.dll**has been used.The blog post from **cirosec**also contains a link for their POC of this technique which is almost the same replica of *\u201cConsoleApplication2.exe\u201d*, hinting that author of *\u201cConsoleApplication2.exe\u201d* simply copied it and modified to execute **Metasploit block\\_api** shellcode instead of the benign calc from POC. The comparison of the Cobalt Strike beacon configuration delivered via ***\u201c****conf.c****\u201d***and *\u201cConsoleApplication2.exe\u201d* revealed shared trades between these two, most notably **domain**, **public key****,** and **process injection technique**.\r\n\r\n## Attribution\r\n\r\nAttribution is primarily based on strong similarities between the initial loader observed in this intrusion and previously published Symantec research. Particularly the use of a renamed *\u201cBitdefender Submission Wizard\u201d* to side-load *\u201clog.dll\u201d* for decrypting and executing an additional payload. \r\nIn addition, similarities of the execution chain of *\u201cconf.c\u201d* retrieved from the infected asset and other loaders that we found, supported by the same **public key** extracted from CS beacons delivered through *\u201cconf.c\u201d* and *\u201cConsoleApplication2.exe\u201d* suggests with moderate confidence, that the threat actor behind this campaign is likely Lotus Blossom.\r\n\r\n## Conclusion\r\n\r\nThe discovery of the Chrysalis backdoor and the Warbird loader highlights an evolution in Billbug\u2019s capabilities. While the group continues to rely on proven techniques like DLL sideloading and service persistence, their multi-layered shellcode loader and integration of undocumented system calls (NtQuerySystemInformation) mark a clear shift toward more resilient and stealth tradecraft.\r\n\r\nWhat stands out is the mix of tools: the deployment of custom malware (Chrysalis) alongside commodity frameworks like Metasploit and Cobalt Strike, together with the rapid adaptation of public research (specifically the abuse of Microsoft Warbird). This demonstrates that Billbug is actively updating their playbook to stay ahead of modern detection.\r\n\r\n## Rapid7 customers\r\n\r\n### Intelligence Hub\r\n\r\nCustomers using Rapid7\u2019s Intelligence Hub gain direct access to Chrysalis backdoor, Metasploit loaders and Cobalt Strike IOCs, including any future indicators as they are identified.\r\n\r\n## Indicators of compromise (IoCs)\r\n\r\n### File indicators\r\n\r\n***Note:*** *data may appear cut-off or hidden due to the string lengths in column 2. You can copy the full string by highlighting what is visible.*\r\n\r\nupdate.exe\r\n\r\na511be5164dc1122fb5a7daa3eef9467e43d8458425b15a640235796006590c9\r\n\r\n[NSIS.nsi]\r\n\r\n8ea8b83645fba6e23d48075a0d3fc73ad2ba515b4536710cda4f1f232718f53e\r\n\r\nBluetoothService.exe\r\n\r\n2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924\r\n\r\nBluetoothService\r\n\r\n77bfea78def679aa1117f569a35e8fd1542df21f7e00e27f192c907e61d63a2e\r\n\r\nlog.dll\r\n\r\n3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad\r\n\r\nu.bat\r\n\r\n9276594e73cda1c69b7d265b3f08dc8fa84bf2d6599086b9acc0bb3745146600\r\n\r\nconf.c\r\n\r\nf4d829739f2d6ba7e3ede83dad428a0ced1a703ec582fc73a4eee3df3704629a\r\n\r\nlibtcc.dll\r\n\r\n4a52570eeaf9d27722377865df312e295a7a23c3b6eb991944c2ecd707cc9906\r\n\r\nadmin\r\n\r\n831e1ea13a1bd405f5bda2b9d8f2265f7b1db6c668dd2165ccc8a9c4c15ea7dd\r\n\r\nloader1\r\n\r\n0a9b8df968df41920b6ff07785cbfebe8bda29e6b512c94a3b2a83d10014d2fd\r\n\r\nuffhxpSy\r\n\r\n4c2ea8193f4a5db63b897a2d3ce127cc5d89687f380b97a1d91e0c8db542e4f8\r\n\r\nloader2\r\n\r\ne7cd605568c38bd6e0aba31045e1633205d0598c607a855e2e1bca4cca1c6eda\r\n\r\n3yzr31vk\r\n\r\n078a9e5c6c787e5532a7e728720cbafee9021bfec4a30e3c2be110748d7c43c5\r\n\r\nConsoleApplication2.exe\r\n\r\nb4169a831292e245ebdffedd5820584d73b129411546e7d3eccf4663d5fc5be3\r\n\r\nsystem\r\n\r\n7add554a98d3a99b319f2127688356c1283ed073a084805f14e33b4f6a6126fd\r\n\r\ns047t5g.exe\r\n\r\nfcc2765305bcd213b7558025b2039df2265c3e0b6401e4833123c461df2de51a\r\n\r\n### Network indicators\r\n\r\n95.179.213.0\r\n\r\napi[.]skycloudcenter[.]com\r\n\r\napi[.]wiresguard[.]com\r\n\r\n61.4.102.97\r\n\r\n59.110.7.32\r\n\r\n124.222.137.114\r\n\r\n### MITRE TTPs\r\n\r\n**ATT&CK ID**\r\n\r\n**Name**\r\n\r\nT1204.002\r\n\r\nUser Execution: Malicious File\r\n\r\nT1036\r\n\r\nMasquerading\r\n\r\nT1027\r\n\r\nObfuscated Files or Information\r\n\r\nT1027.007\r\n\r\nObfuscated Files or Information: Dynamic API Resolution\r\n\r\nT1140\r\n\r\nDeobfuscate/Decode Files or Information\r\n\r\nT1574.002\r\n\r\nDLL Side-Loading\r\n\r\nT1106\r\n\r\nNative API\r\n\r\nT1055\r\n\r\nProcess Injection\r\n\r\nT1620\r\n\r\nReflective Code Loading\r\n\r\nT1059.003\r\n\r\nCommand and Scripting Interpreter: Windows Command Shell\r\n\r\nT1083\r\n\r\nFile and Directory Discovery\r\n\r\nT1005\r\n\r\nData from Local System\r\n\r\nT1105\r\n\r\nIngress Tool Transfer\r\n\r\nT1041\r\n\r\nExfiltration Over C2 Channel\r\n\r\nT1071.001\r\n\r\nApplication Layer Protocol: Web Protocols (HTTP/HTTPS)\r\n\r\nT1573\r\n\r\nEncrypted Channel\r\n\r\nT1547.001\r\n\r\nBoot or Logon Autostart Execution: Registry Run Keys\r\n\r\nT1543.003\r\n\r\nCreate or Modify System Process: Windows Service\r\n\r\nT1480.002\r\n\r\nExecution Guardrails: Mutual Exclusion\r\n\r\nT1070.004\r\n\r\nIndicator Removal on Host: File Deletion\r\n\r\n********IOCs contributed by* *@AIexGP* *on X.*\r\n\r\n\r\n\r\n$/$", "id": "92", "event_id": "479", "timestamp": "1770102993", "deleted": false } ] } }