← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
The Chrysalis Backdoor: A Deep Dive into Lotus Blossom's toolkit
WHITE LOTUS PANDA AlienVault 2026-02-03 Modified: 2026-03-05
41
IOCs
MEDIUM VOLUME
Rapid7 Labs has uncovered a sophisticated campaign attributed to the Chinese APT group Lotus Blossom, involving a new custom backdoor named Chrysalis. The attack compromised Notepad++ infrastructure to deliver the backdoor. Analysis revealed multiple custom loaders, including one using Microsoft Warbird for obfuscation. The Chrysalis backdoor has extensive capabilities for information gathering, file operations, and remote command execution. Additional artifacts found include Cobalt Strike beacons and Metasploit payloads. The campaign shows Lotus Blossom evolving its tactics, mixing custom and off-the-shelf tools with advanced obfuscation techniques to evade detection.
obfuscationaptcobalt strikebackdoormetasploitchrysalisnotepad++warbirdchina
MITRE ATT&CK & Malware Families
MALWARE FAMILIES
Chrysalis Cobalt Strike - S0154 Metasploit
Indicators of Compromise (41)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 28cb7b261f4eb97e8a4b3b0d32f8def1 2026-02-03
FileHash-MD5 2dc895d5611a149bfcc0d17c4f02d863 2026-02-03
FileHash-MD5 32f3c40b0ed1c5cf23430be7f9eb7b06 2026-02-03
FileHash-MD5 6aed7e49bd6c10c4eaee34f8c0eaa055 2026-02-03
FileHash-SHA1 21a942273c14e4b9d3faa58e4de1fd4d5014a1ed 2026-02-03
FileHash-SHA1 73d9d0139eaf89b7df34ceeb60e5f8c7cd2463bf 2026-02-03
FileHash-SHA1 9fbf2195dee991b1e5a727fd51391dcc2d7a4b16 2026-02-03
FileHash-SHA1 f7910d943a013eede24ac89d6388c1b98f8b3717 2026-02-03
FileHash-SHA256 078a9e5c6c787e5532a7e728720cbafee9021bfec4a30e3c2be110748d7c43c5 2026-02-03
FileHash-SHA256 0a9b8df968df41920b6ff07785cbfebe8bda29e6b512c94a3b2a83d10014d2fd 2026-02-03
FileHash-SHA256 2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924 2026-02-03
FileHash-SHA256 3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad 2026-02-03
FileHash-SHA256 4a52570eeaf9d27722377865df312e295a7a23c3b6eb991944c2ecd707cc9906 2026-02-03
FileHash-SHA256 4c2ea8193f4a5db63b897a2d3ce127cc5d89687f380b97a1d91e0c8db542e4f8 2026-02-03
FileHash-SHA256 77bfea78def679aa1117f569a35e8fd1542df21f7e00e27f192c907e61d63a2e 2026-02-03
FileHash-SHA256 7add554a98d3a99b319f2127688356c1283ed073a084805f14e33b4f6a6126fd 2026-02-03
FileHash-SHA256 831e1ea13a1bd405f5bda2b9d8f2265f7b1db6c668dd2165ccc8a9c4c15ea7dd 2026-02-03
FileHash-SHA256 8ea8b83645fba6e23d48075a0d3fc73ad2ba515b4536710cda4f1f232718f53e 2026-02-03
FileHash-SHA256 9276594e73cda1c69b7d265b3f08dc8fa84bf2d6599086b9acc0bb3745146600 2026-02-03
FileHash-SHA256 a511be5164dc1122fb5a7daa3eef9467e43d8458425b15a640235796006590c9 2026-02-03
FileHash-SHA256 b4169a831292e245ebdffedd5820584d73b129411546e7d3eccf4663d5fc5be3 2026-02-03
FileHash-SHA256 e7cd605568c38bd6e0aba31045e1633205d0598c607a855e2e1bca4cca1c6eda 2026-02-03
FileHash-SHA256 f4d829739f2d6ba7e3ede83dad428a0ced1a703ec582fc73a4eee3df3704629a 2026-02-03
FileHash-SHA256 fcc2765305bcd213b7558025b2039df2265c3e0b6401e4833123c461df2de51a 2026-02-03
URL http://124.222.137.114:9999/3yZR31VK 2026-02-03
URL http://124.222.137.114:9999/api/Info/submit 2026-02-03
URL http://124.222.137.114:9999/api/updateStatus/v1 2026-02-03
URL http://134.0.0.0 2026-02-03
URL http://59.110.7.32:8880/api/Metadata/submit 2026-02-03
URL http://59.110.7.32:8880/api/getBasicInfo/v1 2026-02-03
URL http://59.110.7.32:8880/uffhxpSy 2026-02-03
URL http://95.179.213.0 2026-02-03
URL http://api.wiresguard.com/api/FileUpload/submit 2026-02-03
URL http://api.wiresguard.com/update/v1 2026-02-03
URL http://api.wiresguard.com/users/admin 2026-02-03
URL https://api.skycloudcenter.com/a/chat/s/70521ddf-a2ef-4adf-9cf0-6d8e24aaa821 2026-02-03
URL https://api.wiresguard.com/api/Info/submit 2026-02-03
URL https://api.wiresguard.com/api/getInfo/v1 2026-02-03
URL https://api.wiresguard.com/users/system 2026-02-03
hostname api.skycloudcenter.com 2026-02-03
hostname api.wiresguard.com 2026-02-03
References (1)
↗ https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/