{ "type": "URL", "indicator": "https://api.wiresguard.com/api/Info/submit", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://api.wiresguard.com/api/Info/submit", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4193576197, "indicator": "https://api.wiresguard.com/api/Info/submit", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "6981aff0acbb318f992ed03e", "name": "The Chrysalis Backdoor: A Deep Dive into Lotus Blossom's toolkit", "description": "Rapid7 Labs has uncovered a sophisticated campaign attributed to the Chinese APT group Lotus Blossom, involving a new custom backdoor named Chrysalis. The attack compromised Notepad++ infrastructure to deliver the backdoor. Analysis revealed multiple custom loaders, including one using Microsoft Warbird for obfuscation. The Chrysalis backdoor has extensive capabilities for information gathering, file operations, and remote command execution. Additional artifacts found include Cobalt Strike beacons and Metasploit payloads. The campaign shows Lotus Blossom evolving its tactics, mixing custom and off-the-shelf tools with advanced obfuscation techniques to evade detection.", "modified": "2026-03-05T08:00:11.198000", "created": "2026-02-03T08:21:04.364000", "tags": [ "obfuscation", "apt", "cobalt strike", "backdoor", "metasploit", "chrysalis", "notepad++", "warbird", "china" ], "references": [ "https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/" ], "public": 1, "adversary": "LOTUS PANDA", "targeted_countries": [], "malware_families": [ { "id": "Chrysalis", "display_name": "Chrysalis", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "Metasploit", "display_name": "Metasploit", "target": null } ], "attack_ids": [], "industries": [ "Government", "Telecommunications", "Defense", "Energy", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 16, "URL": 15, "hostname": 2 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 386770, "modified_text": "88 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f63d946065f1fbb8652e38", "name": "ddc6d79c6fade3e3b252f80de290b6c8", "description": "", "modified": "2026-06-01T18:16:56.382000", "created": "2026-05-02T18:08:20.212000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 117, "FileHash-SHA1": 1, "domain": 37, "hostname": 43, "FileHash-MD5": 1 }, "indicator_count": 199, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "3 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f2dba1fd63a1fcf632318f", "name": "Lotus Blossum", "description": "d3bf06f3c6b8cf115f386f853939819f22bb0b9c412ac3696c143ea3440e5bc3 - 04.29.26 - Bitdefender Renamed Submission Wizard & Lotus Blossum\n\nLOTUS PANDA (Malpedia)\naka: ATK1, BRONZE ELGIN, Billbug, DRAGONFISH, G0030, Lotus BLossom, Lotus Blossom, Red Salamander, ST Group, Spring Dragon\n\nLotus Blossom is a threat group that has targeted government and military organizations in Southeast Asia.", "modified": "2026-05-30T04:04:00.214000", "created": "2026-04-30T04:33:32.234000", "tags": [], "references": [ "https://www.virustotal.com/graph/embed/g3b6db1f2b1d74e569bcf8eadfa2dd64f7fc608cc250c4910b1ab9dc0eb4d5b32?theme=dark", "https://www.virustotal.com/gui/collection/2de6ecd25ac73148e5c495ed2d6b16f1f205a1ab0281f4f7ba4be722c315f8fe/iocs", "https://www.virustotal.com/gui/collection/2de6ecd25ac73148e5c495ed2d6b16f1f205a1ab0281f4f7ba4be722c315f8fe/summary", "https://malpedia.caad.fkie.fraunhofer.de/actor/lotus_panda", "https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Healthcare", "Education", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "UCP_GoA23", "id": "382539", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_382539/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 35, "FileHash-SHA1": 35, "FileHash-SHA256": 174, "URL": 19, "domain": 14, "hostname": 101, "CVE": 2 }, "indicator_count": 380, "is_author": false, "is_subscribing": null, "subscriber_count": 19, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "698c4f02712e4743d0aa2263", "name": "EbeeFeb2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-13T09:35:12.591000", "created": "2026-02-11T09:42:26.929000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "redacted" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "ShadowHS, DynoWiper, Operation Neusploit, Fake CAPTCHA App-V LOLBIN delivering Amatera Stealer", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 159, "FileHash-SHA1": 186, "FileHash-SHA256": 256, "CVE": 4, "URL": 49, "domain": 98, "hostname": 46 }, "indicator_count": 798, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "80 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6983154d527ea2bf3aac3649", "name": "The Chrysalis Backdoor: A Deep Dive into Lotus Blossom\u2019s toolkit", "description": "Chinese hackers used a previously undocumented custom backdoor to deliver shellcode to victims of a targeted espionage campaign, according to Rapid7 Labs and the Rapid 7 MDR team, who have uncovered a new type of malicious implant.", "modified": "2026-03-06T09:01:33.409000", "created": "2026-02-04T09:45:49.482000", "tags": [ "cybersecurity company", "managed detection and response", "exposure management", "managed security solutions", "vulnerability management", "exposure assessment platform", "chrysalis", "khtml", "gecko", "rapid7", "cobalt strike", "wizard", "apis", "cs beacon", "lotus blossom", "getprocaddress", "win64", "metasploit", "crazy", "loader", "nsis", "config", "service", "shellcode", "execution", "february", "chinese" ], "references": [ "https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Chrysalis", "display_name": "Chrysalis", "target": null } ], "attack_ids": [], "industries": [ "Government", "Telecom", "Aviation", "Critical Infrastructure", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 14, "FileHash-SHA1": 14, "FileHash-SHA256": 16, "URL": 15, "hostname": 2 }, "indicator_count": 61, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "87 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6982cbe3f96a38f7a82972eb", "name": "The Chrysalis Backdoor: A Deep Dive into Lotus Blossom's toolkit", "description": "", "modified": "2026-03-05T08:00:11.198000", "created": "2026-02-04T04:32:35.682000", "tags": [ "obfuscation", "apt", "cobalt strike", "backdoor", "metasploit", "chrysalis", "notepad++", "warbird", "china" ], "references": [ "https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/" ], "public": 1, "adversary": "Lotus Blossom", "targeted_countries": [], "malware_families": [ { "id": "Chrysalis", "display_name": "Chrysalis", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "Metasploit", "display_name": "Metasploit", "target": null } ], "attack_ids": [], "industries": [ "Government", "Telecommunications", "Defense", "Energy", "Media" ], "TLP": "white", "cloned_from": "6981aff0acbb318f992ed03e", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 16, "URL": 15, "hostname": 2 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 283, "modified_text": "88 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6981a8333217797069c607ec", "name": "The Chrysalis Backdoor: A Deep Dive into Lotus Blossoms toolkit", "description": "The sophisticated cyber threat campaign attributed to the Chinese APT group Lotus Blossom has been identified, with the newly discovered Chrysalis backdoor being a central component. Lotus Blossom, which has operated since 2009, traditionally targets sectors such as government, telecom, and critical infrastructure across Southeast Asia and Central America. The first point of entry is often achieved through a disguised NSIS installer named \"update.exe,\" which serves as a vector for the initial payload.\n\nUpon execution of BluetoothService.exe-essentially a repurposed legitimate application-the malicious library log.dll is side-loaded, leading to two critical functions, LogInit and LogWrite. These functions decrypt and execute shellcode, marking the initialization of the Chrysalis backdoor. The malware employs a tailored hashing algorithm for API resolution, combining FNV1a and a MurmurHash-style finalization step, complicating detection.", "modified": "2026-03-05T07:03:49.922000", "created": "2026-02-03T07:48:03.958000", "tags": [ "khtml", "gecko", "cobalt strike", "chrysalis", "wizard", "apis", "cs beacon", "getprocaddress", "windows nt", "win64", "metasploit", "crazy", "loader", "nsis", "config", "service", "shellcode", "execution", "chinese", "network", "mitre ttps", "ck id", "user execution", "file t1036", "dynamic api", "dll sideloading", "api t1055", "code loading" ], "references": [ "https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/" ], "public": 1, "adversary": "Lotus Blossom", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1480.001", "name": "Environmental Keying", "display_name": "T1480.001 - Environmental Keying" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" } ], "industries": [ "Government", "Telecom", "Aviation", "Critical Infrastructure", "Media" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 16, "URL": 14, "hostname": 2 }, "indicator_count": 40, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "88 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.virustotal.com/gui/collection/2de6ecd25ac73148e5c495ed2d6b16f1f205a1ab0281f4f7ba4be722c315f8fe/summary", "https://www.virustotal.com/gui/collection/2de6ecd25ac73148e5c495ed2d6b16f1f205a1ab0281f4f7ba4be722c315f8fe/iocs", "https://www.virustotal.com/graph/embed/g3b6db1f2b1d74e569bcf8eadfa2dd64f7fc608cc250c4910b1ab9dc0eb4d5b32?theme=dark", "https://malpedia.caad.fkie.fraunhofer.de/actor/lotus_panda", "IOCs.csv", "https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/" ], "related": { "alienvault": { "adversary": [ "LOTUS PANDA" ], "malware_families": [ "Metasploit", "Cobalt strike - s0154", "Chrysalis" ], "industries": [ "Telecommunications", "Media", "Energy", "Government", "Defense" ], "unique_indicators": 44 }, "other": { "adversary": [ "Lotus Blossom", "ShadowHS, DynoWiper, Operation Neusploit, Fake CAPTCHA App-V LOLBIN delivering Amatera Stealer" ], "malware_families": [ "Cobalt strike - s0154", "Chinese", "Cobalt strike", "Metasploit", "Chrysalis" ], "industries": [ "Telecommunications", "Technology", "Media", "Energy", "Government", "Healthcare", "Education", "Aviation", "Telecom", "Defense", "Critical infrastructure" ], "unique_indicators": 1423 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/wiresguard.com", "whois": "http://whois.domaintools.com/wiresguard.com", "domain": "wiresguard.com", "hostname": "api.wiresguard.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "6981aff0acbb318f992ed03e", "name": "The Chrysalis Backdoor: A Deep Dive into Lotus Blossom's toolkit", "description": "Rapid7 Labs has uncovered a sophisticated campaign attributed to the Chinese APT group Lotus Blossom, involving a new custom backdoor named Chrysalis. The attack compromised Notepad++ infrastructure to deliver the backdoor. Analysis revealed multiple custom loaders, including one using Microsoft Warbird for obfuscation. The Chrysalis backdoor has extensive capabilities for information gathering, file operations, and remote command execution. Additional artifacts found include Cobalt Strike beacons and Metasploit payloads. The campaign shows Lotus Blossom evolving its tactics, mixing custom and off-the-shelf tools with advanced obfuscation techniques to evade detection.", "modified": "2026-03-05T08:00:11.198000", "created": "2026-02-03T08:21:04.364000", "tags": [ "obfuscation", "apt", "cobalt strike", "backdoor", "metasploit", "chrysalis", "notepad++", "warbird", "china" ], "references": [ "https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/" ], "public": 1, "adversary": "LOTUS PANDA", "targeted_countries": [], "malware_families": [ { "id": "Chrysalis", "display_name": "Chrysalis", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "Metasploit", "display_name": "Metasploit", "target": null } ], "attack_ids": [], "industries": [ "Government", "Telecommunications", "Defense", "Energy", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 16, "URL": 15, "hostname": 2 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 386770, "modified_text": "88 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f63d946065f1fbb8652e38", "name": "ddc6d79c6fade3e3b252f80de290b6c8", "description": "", "modified": "2026-06-01T18:16:56.382000", "created": "2026-05-02T18:08:20.212000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 117, "FileHash-SHA1": 1, "domain": 37, "hostname": 43, "FileHash-MD5": 1 }, "indicator_count": 199, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "3 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f2dba1fd63a1fcf632318f", "name": "Lotus Blossum", "description": "d3bf06f3c6b8cf115f386f853939819f22bb0b9c412ac3696c143ea3440e5bc3 - 04.29.26 - Bitdefender Renamed Submission Wizard & Lotus Blossum\n\nLOTUS PANDA (Malpedia)\naka: ATK1, BRONZE ELGIN, Billbug, DRAGONFISH, G0030, Lotus BLossom, Lotus Blossom, Red Salamander, ST Group, Spring Dragon\n\nLotus Blossom is a threat group that has targeted government and military organizations in Southeast Asia.", "modified": "2026-05-30T04:04:00.214000", "created": "2026-04-30T04:33:32.234000", "tags": [], "references": [ "https://www.virustotal.com/graph/embed/g3b6db1f2b1d74e569bcf8eadfa2dd64f7fc608cc250c4910b1ab9dc0eb4d5b32?theme=dark", "https://www.virustotal.com/gui/collection/2de6ecd25ac73148e5c495ed2d6b16f1f205a1ab0281f4f7ba4be722c315f8fe/iocs", "https://www.virustotal.com/gui/collection/2de6ecd25ac73148e5c495ed2d6b16f1f205a1ab0281f4f7ba4be722c315f8fe/summary", "https://malpedia.caad.fkie.fraunhofer.de/actor/lotus_panda", "https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Healthcare", "Education", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "UCP_GoA23", "id": "382539", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_382539/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 35, "FileHash-SHA1": 35, "FileHash-SHA256": 174, "URL": 19, "domain": 14, "hostname": 101, "CVE": 2 }, "indicator_count": 380, "is_author": false, "is_subscribing": null, "subscriber_count": 19, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "698c4f02712e4743d0aa2263", "name": "EbeeFeb2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-13T09:35:12.591000", "created": "2026-02-11T09:42:26.929000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "redacted" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "ShadowHS, DynoWiper, Operation Neusploit, Fake CAPTCHA App-V LOLBIN delivering Amatera Stealer", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 159, "FileHash-SHA1": 186, "FileHash-SHA256": 256, "CVE": 4, "URL": 49, "domain": 98, "hostname": 46 }, "indicator_count": 798, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "80 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6983154d527ea2bf3aac3649", "name": "The Chrysalis Backdoor: A Deep Dive into Lotus Blossom\u2019s toolkit", "description": "Chinese hackers used a previously undocumented custom backdoor to deliver shellcode to victims of a targeted espionage campaign, according to Rapid7 Labs and the Rapid 7 MDR team, who have uncovered a new type of malicious implant.", "modified": "2026-03-06T09:01:33.409000", "created": "2026-02-04T09:45:49.482000", "tags": [ "cybersecurity company", "managed detection and response", "exposure management", "managed security solutions", "vulnerability management", "exposure assessment platform", "chrysalis", "khtml", "gecko", "rapid7", "cobalt strike", "wizard", "apis", "cs beacon", "lotus blossom", "getprocaddress", "win64", "metasploit", "crazy", "loader", "nsis", "config", "service", "shellcode", "execution", "february", "chinese" ], "references": [ "https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Chrysalis", "display_name": "Chrysalis", "target": null } ], "attack_ids": [], "industries": [ "Government", "Telecom", "Aviation", "Critical Infrastructure", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 14, "FileHash-SHA1": 14, "FileHash-SHA256": 16, "URL": 15, "hostname": 2 }, "indicator_count": 61, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "87 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6982cbe3f96a38f7a82972eb", "name": "The Chrysalis Backdoor: A Deep Dive into Lotus Blossom's toolkit", "description": "", "modified": "2026-03-05T08:00:11.198000", "created": "2026-02-04T04:32:35.682000", "tags": [ "obfuscation", "apt", "cobalt strike", "backdoor", "metasploit", "chrysalis", "notepad++", "warbird", "china" ], "references": [ "https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/" ], "public": 1, "adversary": "Lotus Blossom", "targeted_countries": [], "malware_families": [ { "id": "Chrysalis", "display_name": "Chrysalis", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "Metasploit", "display_name": "Metasploit", "target": null } ], "attack_ids": [], "industries": [ "Government", "Telecommunications", "Defense", "Energy", "Media" ], "TLP": "white", "cloned_from": "6981aff0acbb318f992ed03e", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 16, "URL": 15, "hostname": 2 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 283, "modified_text": "88 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6981a8333217797069c607ec", "name": "The Chrysalis Backdoor: A Deep Dive into Lotus Blossoms toolkit", "description": "The sophisticated cyber threat campaign attributed to the Chinese APT group Lotus Blossom has been identified, with the newly discovered Chrysalis backdoor being a central component. Lotus Blossom, which has operated since 2009, traditionally targets sectors such as government, telecom, and critical infrastructure across Southeast Asia and Central America. The first point of entry is often achieved through a disguised NSIS installer named \"update.exe,\" which serves as a vector for the initial payload.\n\nUpon execution of BluetoothService.exe-essentially a repurposed legitimate application-the malicious library log.dll is side-loaded, leading to two critical functions, LogInit and LogWrite. These functions decrypt and execute shellcode, marking the initialization of the Chrysalis backdoor. The malware employs a tailored hashing algorithm for API resolution, combining FNV1a and a MurmurHash-style finalization step, complicating detection.", "modified": "2026-03-05T07:03:49.922000", "created": "2026-02-03T07:48:03.958000", "tags": [ "khtml", "gecko", "cobalt strike", "chrysalis", "wizard", "apis", "cs beacon", "getprocaddress", "windows nt", "win64", "metasploit", "crazy", "loader", "nsis", "config", "service", "shellcode", "execution", "chinese", "network", "mitre ttps", "ck id", "user execution", "file t1036", "dynamic api", "dll sideloading", "api t1055", "code loading" ], "references": [ "https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/" ], "public": 1, "adversary": "Lotus Blossom", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1480.001", "name": "Environmental Keying", "display_name": "T1480.001 - Environmental Keying" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" } ], "industries": [ "Government", "Telecom", "Aviation", "Critical Infrastructure", "Media" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 16, "URL": 14, "hostname": 2 }, "indicator_count": 40, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "88 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://api.wiresguard.com/api/Info/submit", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://api.wiresguard.com/api/Info/submit", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780351708.1108932 }