New research from Rapid7 Labs, in collaboration with the Rapid7 MDR team, has identified a sophisticated cyber espionage campaign attributed to the Chinese APT (advanced persistent threat) group Lotus Blossom. The investigation identified a security incident involving a sophisticated compromise of the infrastructure hosting Notepad++, which was then leveraged to deliver a previously undocumented custom backdoor dubbed Chrysalis. Active since at least 2009, the group has a long history of targeted operations against organizations in Southeast Asia and, more recently, Central America, with activity spanning government, telecommunications, aviation, critical infrastructure, and media sectors.
“Forensic analysis conducted by the MDR team suggests that the initial access vector aligns with publicly disclosed abuse of the Notepad++ distribution infrastructure,” Ivan Feigl, security researcher at Rapid7, wrote in a company blog post last week. “While reporting references both plugin replacement and updater-related mechanisms, no definitive artifacts were identified to confirm exploitation of either. The only confirmed behavior is that execution of ‘notepad++[dot]exe’ and subsequently ‘GUP[dot]exe’ preceded the execution of a suspicious process ‘update[dot]exe’ which was downloaded from 95.179.213.0.”
Feigl identified that analysis of ‘update[dot]exe’ shows the file is actually an NSIS installer, a tool commonly used by Chinese APT to deliver the initial payload. “The decryption routine implements a custom runtime decryption mechanism used to unpack encrypted data in memory. It derives key material from previously calculated hash value and applies a stream‑cipher–like algorithm rather than standard cryptographic APIs.”
At a high level, he added that the decryption routine relies on a linear congruential generator, with the standard constants combined with several basic data transformation steps to recover the plaintext payload. “Once decrypted, the payload replaces the original buffer, and all temporary memory is released. Execution is then transferred to this newly decrypted stage, which is treated as executable code and invoked with a predefined set of arguments, including runtime context and resolved API information.”
“The shellcode, once decrypted by log[dot]dll, is a custom, feature-rich backdoor we’ve named ‘Chrysalis.’ Its wide array of capabilities indicates it is a sophisticated and permanent tool, not a simple throwaway utility,” according to Feigl. “It uses legitimate binaries to sideload a crafted DLL with a generic name, which makes simple filename-based detection unreliable. It relies on custom API hashing in both the loader and the main module, each with its own resolution logic. This is paired with layered obfuscation and a fairly structured approach to C2 communication.”
Overall, he said the sample appears to have been actively developed over time, and the team will continue to monitor this malware family and any future variants.
After execution is transferred to decrypted shellcode from log[dot]dll, the malware begins by decrypting its main module using a hardcoded key and a simple sequence of XOR, addition, and subtraction operations. The XOR routine is applied five times, suggesting a section layout that mirrors the Portable Executable format. Once decryption is complete, the malware performs another round of dynamic import address table resolution to obtain a handle to Kernel32[dot]dll and GetProcAddress to resolve required exports, before transferring execution to the main module.
“Names of targeted DLLs are constructed on the run, using two separate subroutines. These two subroutines implement a custom, position-dependent character obfuscation scheme,” Feigl wrote. “Each character is transformed using a combination of bit rotations, conditional XOR operations, and index-based arithmetic, ensuring that identical characters encrypt differently depending on their position. The second routine reverses this process at runtime, reconstructing the original plaintext string just before it is used. The purpose of these two functions is not only to conceal strings, but also to intentionally complicate static analysis and hinder signature-based detection.”
After the DLL name is reconstructed, the Main module implements another, more sophisticated API hashing routine.
The malware uses a custom API hashing routine that takes only a target API hash and resolves functions by walking the PEB and parsing module export tables rather than relying on standard loaders. The routine applies multi-stage arithmetic mixing inspired by MurmurHash, processing API names in four-byte blocks with rotation, multiplication, and final diffusion steps, making static analysis and signature-based detection more difficult. If hashing fails, the malware falls back to resolving APIs directly through GetProcAddress, which is obtained earlier during execution.
The malware next decrypts its configuration using RC4, revealing limited but notable details. The configuration contains a single command-and-control endpoint hosted at api.skycloudcenter.com, with a URL structure that mimics DeepSeek-style chat API endpoints, likely to blend malicious traffic into legitimate-looking activity. The module name is generic, and the user agent impersonates a standard Chrome browser, offering little additional insight. The C2 domain resolves to an IP address in Malaysia, and at the time of analysis, no other malware samples were observed communicating with this infrastructure.
“To determine the next course of action, malware checks command-line arguments and chooses one of four potential paths,” according to Feigl. “If the amount of the command-line arguments is greater than two, the process will exit. If there is no additional argument, persistence is set up primarily via service creation or registry as a fall back mechanism.”
He added that, with the expected arguments present, the malware proceeds to its primary functionality, gathering information about the infected asset and initiating communication with C2.
The malware performs several validation steps on C2 responses before acting on them, including checking the HTTP status code, validating the WinInet handle, and verifying payload integrity. If a valid structure is found, it inspects a small tag within the response to determine execution flow using a switch statement with 16 possible cases, while the default case sets a flag that exits processing.
In conclusion, Fiegl wrote that the discovery of the Chrysalis backdoor and the Warbird loader underscores a clear evolution in Lotus Blossom’s capabilities. While the group continues to lean on established techniques such as DLL sideloading and service-based persistence, the use of a multi-layered shellcode loader and undocumented system calls, including NtQuerySystemInformation, signals a shift toward more resilient and stealthier tradecraft.
Equally notable is the blended tooling approach, combining custom malware like Chrysalis with widely available frameworks such as Metasploit and Cobalt Strike, alongside the rapid operationalization of public research, particularly the abuse of Microsoft Warbird. Together, these elements suggest Lotus Blossom is actively refining its playbook to stay ahead of modern detection efforts.
Last March, Cisco Talos researchers disclosed multiple cyber espionage campaigns affecting various sectors, including government, manufacturing, telecommunications, and media, delivering Sagerunex and other hacking tools for post-compromise activities. Talos attributes these attacks to the threat actor, Lotus Blossom, which has been conducting cyber espionage operations since at least 2012 and remains active today. It confidently assesses that Lotus Blossom, also known as Spring Dragon, Billbug, or Thrip, is responsible for these campaigns.
