Rapid7 identifies custom malware: Cybersecurity firm Rapid7 also published a detailed technical analysis corroborating Ho’s disclosure and identifying the attack as part of a broader campaign deploying previously undocumented malware. Rapid7’s investigation uncovered a custom backdoor the firm dubbed “Chrysalis,” alongside Cobalt Strike and Metasploit frameworks.”Forensic analysis conducted by the MDR team suggests that the initial access vector aligns with publicly disclosed abuse of the Notepad++ distribution infrastructure,” Rapid7 researcher Ivan Feigl wrote. The Chrysalis backdoor supports 16 distinct command capabilities ranging from interactive shell access to complete self-removal. One loader variant exploited Microsoft Warbird, an internal code protection framework, to execute shellcode while masquerading as a legitimate Microsoft-signed binary.Rapid7 attributed the campaign to Lotus Blossom, also known as Billbug, a Chinese APT group active since 2009, known for espionage operations targeting government, telecommunications, and critical infrastructure sectors across Southeast Asia and Central America. The attribution is based on strong similarities to previously published Symantec research, particularly the use of a renamed Bitdefender executable to side-load malicious DLLs.
Why detection proved difficult: The sophisticated malware evaded detection for months largely because a compromised utility blends into normal developer behavior, making it challenging to identify. “Most EDR programs are blind by design to ‘expected’ developer behavior,” the Forrester analysts wrote. “A compromised utility does not need exploits, LOLBins, or exotic malware. It just needs to look boring”, like something a dev would do.”Ho noted that his incident response team was unable to extract concrete indicators of compromise despite analyzing roughly 400 GB of server logs. In an edit posted Sunday, Ho acknowledged Rapid7’s more detailed findings. “Last evening I received an email from Ivan Feigl (Rapid7) to share their excellent investigation story”, it seems to be the same story, and obviously, they have more tangible information (including IoCs) than I do,” he wrote.Rapid7 identified network infrastructure, including IP addresses in Malaysia and China, along with command and control URLs, including api.skycloudcenter.com and api.wiresguard.com.
Security enhancements and broader implications: In response, Notepad++ has migrated to a new hosting provider and enhanced WinGup (the updater component) in version 8.8.9 to verify both certificate and signature of downloaded installers, Ho said. Certificate and signature verification will be enforced starting with version 8.9.2, expected within approximately one month.”I deeply apologize to all users affected by this hijacking,” Ho wrote. “I recommend downloading v8.9.1 and running the installer to update your Notepad++ manually.”For enterprise security teams, the incident underscores the need for comprehensive software inventories that include widely used utilities, cryptographic verification of all updates, and what Forrester described as a “shift from implicit trust to continuous verification.” The Forrester analysts also warned that AI agents could amplify similar risks. “The same supply chain blind spots that let a compromised tool blend into developer noise will let a compromised agent establish persistence and elevate privileges at scale,” they wrote. Organizations that cannot strictly define what should execute and communicate are “structurally conceding this class of attack.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4126269/notepad-infrastructure-hijacked-by-chinese-apt-in-sophisticated-supply-chain-attack.html
