Ddos 
Image: Rapid7
The notorious Chinese state-sponsored threat group Lotus Blossom has resurfaced with a dangerous new toolkit, compromising the infrastructure of a popular developer tool to spy on targets in Southeast Asia and Central America. In a new analysis, Rapid7 Labs and the Rapid7 MDR team detail how the group has evolved, deploying a custom backdoor dubbed “Chrysalis” and abusing an obscure Microsoft code protection framework to hide its tracks.
Active since 2009, Lotus Blossom (also known as Elise or Spring Dragon) is known for its relentless focus on “government, telecom, aviation, critical infrastructure, and media sectors”. This latest campaign marks a significant leap in sophistication for the group.
The attack chain began with a supply chain compromise targeting the infrastructure hosting Notepad++, a text editor used by millions of developers worldwide.
According to the report, “forensic evidence led us to uncover several custom loaders in the wild” that stemmed from this compromise. By hijacking the update mechanism or plugin environment of the legitimate software, the attackers were able to slip past initial defenses. “Our investigation identified a security incident stemming from a sophisticated compromise of the infrastructure hosting Notepad++,” the researchers state.
Once inside, the attackers deployed a previously undocumented implant named Chrysalis. This custom backdoor represents a shift away from the group’s older tools, designed specifically to evade modern detection systems.
What makes this campaign unique, however, is how the malware was protected. The researchers discovered a loader, ConsoleApplication2.exe, that leveraged Microsoft Warbird—a complex code protection framework intended for intellectual property protection—to cloak the malicious shellcode.
“The discovery of the Chrysalis backdoor and the Warbird loader highlights an evolution in Lotus Blossom’s capabilities,” the report notes. By mixing this custom malware with commodity tools like Cobalt Strike and Metasploit, the group creates a noisy, confusing footprint that is harder for defenders to unravel.
Despite the new tools, the group left behind familiar fingerprints. Rapid7 attributed the campaign to Lotus Blossom with “moderate confidence” based on specific tradecraft overlaps with previous attacks documented by Symantec.
One key giveaway was the use of a “renamed ‘Bitdefender Submission Wizard’ to side-load ‘log.dll’ for decrypting and executing an additional payload”. This specific DLL side-loading technique is a hallmark of Lotus Blossom’s historic operations.
“What stands out is the mix of tools… together with the rapid adaptation of public research (specifically the abuse of Microsoft Warbird),” the analysts conclude.
As Lotus Blossom integrates “undocumented system calls” and multi-layered loaders into its arsenal, the group is clearly moving toward “more resilient and stealth tradecraft” to maintain its foothold in strategic networks across the globe.
Donate