Lotus Blossom Chrysalis

[MHaggis]

Summary

This PR adds detection coverage for the Lotus Blossom (Billbug) APT group's Chrysalis backdoor campaign, which compromised Notepad++ hosting infrastructure from June-December 2025 to deliver custom malware via supply chain attack. The campaign targeted government, financial, and IT organizations across Southeast Asia, Central America, and Australia.

New Detections (3)

1. Windows Bitdefender Submission Wizard DLL Sideloading

• File: detections/endpoint/windows_bitdefender_submission_wizard_dll_sideloading.yml
• MITRE: T1574.002 (DLL Side-Loading)
• Description: Detects abuse of Bitdefender Submission Wizard (BDSubmit.exe, bdsw.exe) renamed to BluetoothService.exe for malicious DLL side-loading of log.dll from non-standard paths
• Data Source: Sysmon EventID 7 (ImageLoad)

2. Windows BluetoothService Persistence

• File: detections/endpoint/windows_bluetoothservice_persistence.yml
• MITRE: T1543.003 (Windows Service)
• Description: Detects creation of malicious "BluetoothService" Windows service from user-writable directories (AppData, Temp, ProgramData) mimicking legitimate Bluetooth service
• Data Source: Windows System EventID 7045

3. Windows TinyCC Shellcode Execution

• File: detections/endpoint/windows_tinycc_shellcode_execution.yml
• MITRE: T1059.005 (Visual Basic), T1027 (Obfuscated Files or Information), T1036 (Masquerading)
• Description: Detects abuse of Tiny-C-Compiler for shellcode execution, where tcc.exe is renamed to svchost.exe and executed with -nostdlib -run flags to compile and execute malicious C source files
• Data Source: Sysmon EventID 1, Windows Security 4688

Tagged Existing Detections (3)

Added Lotus Blossom Chrysalis Backdoor analytic story tag to detections covering system information collection behavior observed across all three Kaspersky-identified infection chains:

1. System Information Discovery Detection - Detects wmic qfe, systeminfo, hostname execution
2. System User Discovery With Whoami - Detects whoami.exe execution
3. Windows Wmic Systeminfo Discovery - Detects wmic computersystem queries

Analytic Story

Lotus Blossom Chrysalis Backdoor

• File: stories/lotus_blossom_chrysalis_backdoor.yml
• Updated: Added comprehensive context covering Notepad++ supply chain attack, three distinct infection chains identified by Kaspersky, system information exfiltration via temp.sh, and victim profile
• References:
  • Rapid7: https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
  • Kaspersky: https://securelist.com/notepad-supply-chain-attack/118708/
  • MITRE ATT&CK: https://attack.mitre.org/groups/G0065/

Threat Intelligence Summary

Lotus Blossom (aka Billbug) is a Chinese state-sponsored APT group active since 2009 targeting:

• Government organizations (Philippines)
• Financial institutions (El Salvador)
• IT service providers (Vietnam)
• Telecom, aviation, and critical infrastructure sectors

Attack Timeline:

• June 2025: Notepad++ hosting provider compromised
• July-October 2025: Three distinct infection chains deployed
• December 2025: Access terminated, Notepad++ 8.8.9 released with fixes

Infection Chains (per Kaspersky analysis):

• Chain 1: ProShow vulnerability exploitation → Metasploit downloader → Cobalt Strike
• Chain 2: Lua interpreter abuse → EnumWindowStationsW shellcode → Cobalt Strike
• Chain 3: Bitdefender DLL side-loading → Chrysalis backdoor (covered by these detections)

Common TTPs Across All Chains:

• NSIS installer payloads (update.exe)
• System information collection: whoami, tasklist, systeminfo, netstat -ano
• Exfiltration to temp.sh hosting service via curl
• Secondary payloads: Cobalt Strike, Metasploit shellcode

Testing & Validation

• ✅ All detections validated with contentctl validate
• ✅ Atomic tests executed manually on Attack Range (Windows 2022 DC)
• ✅ Detections validated in Splunk against real telemetry
• ✅ Attack data exported to splunk/attack_data repo (separate PR)
• ✅ SPL query patterns validated against MCP security-detections corpus

Attack Data Paths:

• datasets/attack_techniques/T1543.003/lotus_blossom_chrysalis/ (BluetoothService)
• datasets/attack_techniques/T1574.002/lotus_blossom_chrysalis/ (Bitdefender DLL)
• datasets/attack_techniques/T1059.005/lotus_blossom_chrysalis/ (TinyCC)

Detection Coverage

MITRE Technique	Coverage	Source
T1574.002 - DLL Side-Loading	✅ Net-new	This PR
T1543.003 - Windows Service	✅ Net-new	This PR
T1059.005 - Visual Basic	✅ Net-new	This PR
T1082 - System Information Discovery	✅ Tagged existing	This PR
T1027 - Obfuscated Files	✅ Net-new	This PR
T1036 - Masquerading	✅ Net-new	This PR
Cobalt Strike / Metasploit	✅ Existing stories	Cross-reference

Cross-References

The analytic story narrative references existing ESCU coverage for commodity tools used by Lotus Blossom:

• Cobalt Strike analytic story (secondary payload)
• Compromised Windows Host analytic story (general compromise indicators)

---

Total Impact: 3 new detections, 3 tagged detections, 1 comprehensive analytic story covering sophisticated Chinese APT supply chain attack

[patel-bhavin]

@MHaggis - looks like there are some testing failures : can you have a loook?