The China-aligned APT group Lotus Blossom (also known as Billbug) has been identified with moderate confidence as responsible for a sophisticated supply-chain compromise involving Notepad++. The operation involved unauthorized access to update-related infrastructure to distribute a previously undocumented backdoor, designated Chrysalis. The campaign primarily targets government, telecommunications, aviation, and critical infrastructure organizations in Southeast Asia and Central America, establishing long-term, covert access through the abuse of trusted binaries, DLL side-loading, and extensive obfuscation techniques. Notably, the threat actors evaded conventional endpoint defenses by leveraging encrypted HTTPS command-and-control traffic masquerading as legitimate API endpoints and, in some variants, abusing Microsoft Warbird to execute shellcode in kernel context. This activity highlights the growing risk associated with trusted software misuse and underscores the need for enhanced supply-chain monitoring, behavioral detection, and zero-trust assumptions around widely deployed development tools.
The attack chain begins with the execution of a malicious update.exe delivered following legitimate Notepad++ and GUP updater activity. The payload is packaged as an NSIS-based installer that creates a hidden directory under %AppData%\Bluetooth and stages additional components. To facilitate DLL sideloading, the installer deploys a renamed, legitimate Bitdefender Submission Wizard binary (BluetoothService.exe), which is forced to load a malicious log.dll. This DLL employs dynamic API hashing and custom encryption routines to decrypt and execute the Chrysalis backdoor in memory.
In more advanced variants, Chrysalis leverages a secondary loader that abuses Microsoft Warbird in combination with the undocumented NtQuerySystemInformation call (SystemCodeFlowTransition) to execute shellcode in kernel context, bypassing user-mode security controls. The backdoor establishes encrypted HTTPS command-and-control communication with infrastructure designed to resemble legitimate API endpoints and supports interactive command execution, file and process manipulation, persistence mechanisms, and self-removal capabilities. The details and technicalities of the attack campaign are discussed further.
The campaign abuses a compromised Notepad++ update-related delivery path, in which a malicious update.exe is retrieved from attacker-controlled infrastructure following the legitimate execution of notepad++.exe and GUP.exe. The payload is presented as an NSIS installer, a technique frequently leveraged by Chinese APT groups to blend into normal
software installation workflows and reduce user suspicion during execution. The infection chain was identified as follows,
Chrysalis is a feature-rich espionage backdoor engineered for long-term persistence and stealth rather than opportunistic compromise. To avoid reliance on standard cryptographic APIs, it implements bespoke encryption based on a linear congruential generator to decode payloads. Static analysis and signature-based detection are further hindered through the use of hashed API resolution. Command-and-control communications are conducted over HTTPS, with URL patterns intentionally crafted to resemble legitimate API endpoints, allowing the malware to blend into normal network traffic. Supported functionality includes interactive command execution, file and directory enumeration, read/write/delete operations, remote process execution, payload staging, and configurable self-removal to eliminate artifacts during cleanup.
Beyond the primary backdoor, the campaign incorporates advanced loader components designed to bypass modern endpoint defenses. Certain variants exploit the undocumented NtQuerySystemInformation (SystemCodeFlowTransition) class in conjunction with Microsoft Warbird to decode and execute shellcode in kernel context, significantly reducing visibility to EDR and antivirus solutions by avoiding user-mode hooks. When combined with DLL side-loading and the use of trusted, signed binaries, these techniques reflect a mature tradecraft focused on minimizing detection while maintaining deep and persistent system access.
Based on overlapping tradecraft, including the misuse of Bitdefender binaries for DLL side-loading, reuse of cryptographic material associated with earlier Cobalt Strike deployments, and consistent tooling patterns observed in prior operations, the activity is attributed to Lotus Blossom (Billbug) with moderate confidence. Compared to earlier campaigns centered on user-mode execution, the adoption of Microsoft Warbird represents a notable escalation in capability, indicating a shift toward more advanced evasion techniques and defense bypass strategies.
The active campaign primarily targets government, telecommunications, aviation, and critical infrastructure organizations in Southeast Asia and Central America. Observed command-and-control infrastructure responds to IP addresses across multiple geographic regions, including Malaysia, suggesting a distributed operational footprint. The targeted nature of victim selection and infrastructure design indicates a focused espionage campaign rather than indiscriminate or opportunistic compromise.
This Notepad++-related supply-chain compromise demonstrates a significant evolution in Lotus Blossom’s operational maturity, combining kernel-level execution, covert loaders, and the abuse of trusted software to bypass contemporary security controls. To mitigate similar supply-chain threats, organizations should prioritize behavioral and memory-based detections, strengthen update and binary validation processes, and reassess trust assumptions associated with widely used developer tools.
Successful exploitation enables persistent, covert access to compromised environments, facilitating credential theft, internal reconnaissance, data exfiltration, and lateral movement. The use of kernel-level execution techniques substantially reduces visibility for security teams, increasing the likelihood of long-term undetected compromise. Additionally, the abuse of trusted applications such as Notepad++ increases execution success within enterprise environments and amplifies overall risk.
