The Chrysalis Backdoor A Deep Dive into Lotus Blossom’s tool...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit
• Blog Title: The Chrysalis Backdoor: A Deep Dive into Lotus Blossom’s toolkit
• Suggested Section: Windows Hardening -> Windows Local Privilege Escalation (or Generic Hacking) -> Dll Hijacking / DLL Sideloading; Reversing / Malware Analysis -> Import evasion (API hashing, PEB walk) and staged loaders; add a note/subsection about abusing NSIS installers as droppers and using Tiny C Compiler (tcc.exe -nostdlib -run) as an execution/loader technique

🎯 Content Summary

Post: Rapid7 (Rapid7 Labs + MDR) details a Lotus Blossom (Chinese APT; active since 2009) intrusion in which infrastructure associated with Notepad++ distribution was compromised to deliver a previously undocumented Windows backdoor they named Chrysalis (blog date: Feb 2, 2026).

1) Initial access / delivery (what is known)
Public reporting about Notepad++ infrastructure abuse mentioned plugin replacement and updater-related mechanisms...

🔧 Technical Details

Supply-chain-style execution via trusted updater chain: If attackers can tamper with a legitimate product’s distribution/update infrastructure, they can cause a normal process chain (e.g., notepad++.exe launching its updater GUP.exe) to execute an attacker-supplied update.exe, making initial execution blend with expected software-update behavior.

NSIS used as a dropper framework: Packaging payload components inside an NSIS installer allows a scriptable “install” flow that creates staging directories (e.g., %AppData%\Bluetooth), sets them HIDDEN, drops multiple files (host EXE + malicious DLL + encrypted blob), and launches the next stage while looking like routine installer activity.

DLL sideloading with required exports as an execution primitive: Selecting a legitimate EXE that loads a predictable DLL name from its working directory (here, log.dll) enables attackers to pla...

🤖 Agent Actions

Updated the Windows DLL Hijacking page with a new Chrysalis case study covering the NSIS dropper, Bitdefender Submission Wizard sideload, custom LCG decryptor, dual API hashing (FNV-1a + Murmur finalizer and PEB-walking resolver), RC4 config/C2 handling, command tags, persistence modes, and the observed TCC compile-and-run loader. Added Rapid7 blog to references.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit

Content Categories: Based on the analysis, this content was categorized under "Windows Hardening -> Windows Local Privilege Escalation (or Generic Hacking) -> Dll Hijacking / DLL Sideloading; Reversing / Malware Analysis -> Import evasion (API hashing, PEB walk) and staged loaders; add a note/subsection about abusing NSIS installers as droppers and using Tiny C Compiler (tcc.exe -nostdlib -run) as an execution/loader technique".

Repository Maintenance:

• MD Files Formatting: 944 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0