Assists scoping IOCs related to the recent publicly disclosed Notepad++ supply chain attack.
Untoggle unwanted collections
Last updated: 2026-02-05
name: Windows.Detection.LotusBlossom.Chrysalis
author: Matt Green - @mgreen27
description: |
Assists scoping IOCs related to the recent publicly disclosed Notepad++
supply chain attack.
- Find impacted notepad++ versions
- Find suspicious files in public reports
- Find public reported network urls in running processes
- Find Warbird clipc.dll shellcode loader strings
- Find Shellcode and loader on disk with YARA
Untoggle unwanted collections
Last updated: 2026-02-05
reference:
- https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
- https://securelist.com/notepad-supply-chain-attack/118708/
type: CLIENT
parameters:
- name: FileIoc
description: Glob for suspicious files in public reports (lightweight)
type: bool
default: Y
- name: NetworkMemory
description: Run yara detection for Network IOCs in process memory
type: bool
default: Y
- name: Warbird
description: Run targeted yara detection for Warbird clipc.dll artifacts
type: bool
default: Y
- name: DiskYara
description: Run targeted yara disk detection for Chrysalis shellcode and loaders in (heavy)
type: bool
default: N
- name: DiskYaraGlob
description: Glob to use in Chrysalis disk yara.
default: 'C:/{Users,ProgramData}/**'
- name: TargetGlobs
description: Specify multiple globs to search for.
type: csv
default: |
Glob,Notes
C:\\Users\\*\\AppData\\Roaming\\Bluetooth\\BluetoothService.exe,Chrysalis loader executable
C:\\Users\\*\\AppData\\Roaming\\Bluetooth\\log.dll,Malicious sideloaded DLL
C:\\Users\\*\\AppData\\Roaming\\Bluetooth\\Bluetooth,Encrypted shellcode blob (no extension)
C:\\Users\\*\\AppData\\Roaming\\ProShow\\ProShow.exe,Stage 1 payload
C:\\Users\\*\\AppData\\Roaming\\ProShow\\defscr,Associated data file
C:\\Users\\*\\AppData\\Roaming\\ProShow\\if.dnt,Associated data file
C:\\Users\\*\\AppData\\Roaming\\ProShow\\proshow.crs,Associated data file
C:\\Users\\*\\AppData\\Roaming\\ProShow\\proshow.phd,Associated data file
C:\\Users\\*\\AppData\\Roaming\\ProShow\\proshow_e.bmp,Associated bitmap
C:\\Users\\*\\AppData\\Roaming\\ProShow\\1.txt,Recon output (whoami/tasklist)
C:\\Users\\*\\AppData\\Roaming\\Adobe\\Scripts\\script.exe,Stage 2 loader
C:\\Users\\*\\AppData\\Roaming\\Adobe\\Scripts\\alien.dll,Malicious DLL
C:\\Users\\*\\AppData\\Roaming\\Adobe\\Scripts\\lua5.1.dll,Bundled Lua runtime
C:\\Users\\*\\AppData\\Roaming\\Adobe\\Scripts\\alien.ini,Configuration file
C:\\Users\\*\\AppData\\Roaming\\Adobe\\Scripts\\a.txt,System reconnaissance output
C:\\Users\\*\\AppData\\Local\\Temp\\update.exe,Malicious updater (multiple variants)
C:\\Users\\*\\AppData\\Local\\Temp\\AutoUpdater.exe,Alternate malicious updater name
C:\\Users\\*\\AppData\\Local\\Temp\\u.bat,Cleanup / self-delete script
C:\\Users\\*\\AppData\\Local\\Temp\\*.nsi,NSIS installer artifacts
C:\\ProgramData\\USOShared\\svchost.exe-nostdlib,Masqueraded loader binary
C:\\ProgramData\\USOShared\\libtcc.dll,Tiny C Compiler runtime
C:\\ProgramData\\USOShared\\conf.c,C source containing embedded shellcode
C:\\ProgramData\\USOShared\\*.exe,Userland executables in non-standard location
C:\\ProgramData\\USOShared\\*.dll,Userland DLLs in non-standard location
C:\\ProgramData\\USOShared\\*.c,Source code present on victim system
- name: NetworkYara
type: yara
default: |
rule APT_LotusBlossom_Chrysalis_Network_IOCs {
meta:
author = "Matt Green - @mgreen27"
description = "Network/URI indicators for Notepad++ supply-chain activity (Kaspersky + Rapid7)"
date = "2026-02-04"
reference_rapid7 = "https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/"
reference_kaspersky = "https://securelist.com/notepad-supply-chain-attack/118708/"
strings:
/* Domains */
$dom1 = "api.skycloudcenter.com" ascii wide
$dom2 = "api.wiresguard.com" ascii wide
$dom3 = "self-dns.it.com" ascii wide
$dom4 = "cdncheck.it.com" ascii wide
$dom5 = "safe-dns.it.com" ascii wide
/* IPs */
$ip1 = "95.179.213.0" ascii wide
$ip2 = "59.110.7.32" ascii wide
$ip3 = "124.222.137.114" ascii wide
$ip4 = "45.76.155.202" ascii wide
$ip5 = "45.32.144.255" ascii wide
$ip6 = "45.77.31.210" ascii wide
/* Ports */
$port1 = ":8880" ascii wide
$port2 = ":9999" ascii wide
/* Metasploit / Cobalt Strike staging */
$path1 = "/users/admin" ascii wide
$path2 = "/users/system" ascii wide
$path3 = "/help/Get-Start" ascii wide
/* Cobalt Strike / Chrysalis beacon APIs */
$path4 = "/update/v1" ascii wide
$path5 = "/api/update/v1" ascii wide
$path6 = "/api/FileUpload/submit" ascii wide
$path7 = "/api/getInfo/v1" ascii wide
$path8 = "/api/getBasicInfo/v1" ascii wide
$path9 = "/api/Metadata/submit" ascii wide
$path10 = "/api/Info/submit" ascii wide
$path11 = "/api/updateStatus/v1" ascii wide
$path12 = "/resolve" ascii wide
$path13 = "/dns-query" ascii wide
$path14 = "/a/chat/s/" ascii wide
$path15 = "/uffhxpSy" ascii wide
$path26 = "/3yZR31VK" ascii wide
$path17= "/list" ascii wide
condition:
(
(1 of ($dom*)) and (1 of ($path*))
)
or
(
(1 of ($ip*)) and (1 of ($path*, $port*))
)
}
- name: WarbirdYara
type: yara
default: |
rule APT_LotusBlossom_Chrysalis_Loader_Warbird {
meta:
author = "Matt Green - @mgreen27"
description = "Detects payload bytes in first 0x490 bytes in clipc.dll Warbird technique as described by Rapid7"
malware_family = "Chrysalis"
reference = "https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/"
scope = "Microsoft signed DLL - clipc.dll VAD section"
date = "2026-02-03"
strings:
$hex1 = { EF BE AD DE }
$hex2 = { FE AF FE CA }
condition:
$hex1 in (0..1167) or
$hex2 in (0..1167)
}
- name: ChrysalisYara
type: yara
default: |
rule MAL_Chrysalis_DllLoader_Feb26 {
meta:
description = "Detects DLL used to load Chrysalis backdoor, seen being used in the compromise of the infrastructure hosting Notepad++ by Chinese APT group Lotus Blossom"
author = "X__Junior"
date = "2026-02-02"
reference = "https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/"
hash = "3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad"
score = 80
strings:
$op1 = { 33 D2 8B C1 F7 F6 0F B6 C1 03 55 ?? 6B C0 ?? 32 02 88 04 0F 41 83 F9 ?? 72 }
$op2 = { 0F B6 04 31 41 33 C2 69 D0 ?? ?? ?? ?? 3B CB 72 }
condition:
uint16(0) == 0x5a4d and all of them
}
rule MAL_Chrysalis_Shellcode_Loader_Feb26 {
meta:
description = "Detects shellcode used to load Chrysalis backdoor, seen being used in the compromise of the infrastructure hosting Notepad++ by Chinese APT group Lotus Blossom"
author = "X__Junior"
date = "2026-02-02"
reference = "https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/"
hash = "e2e3d78437cf9d48c2b2264e44bb36bc2235834fc45bbb50b5d6867f336711e3"
score = 80
strings:
$op1 = { 8B C7 03 D7 83 E0 ?? 47 8A 4C 05 ?? 8A 04 13 02 C1 32 C1 2A C1 88 02 8B 55 ?? 3B FE 7C ?? 8B 5D ?? 8B 45 }
$op2 = { 03 F8 8B 45 ?? 8B 50 ?? 85 C9 79 ?? 0F B7 C1 EB ?? 8D 41 ?? 03 C3 50 FF 75 ?? FF D2 89 07 85 C0 74 ?? 8B 4D ?? 46 }
condition:
1 of them
}
rule MAL_Chrysalis_Backdoor_Feb26 {
meta:
description = "Detects Chrysalis backdoor, seen being used in the compromise of the infrastructure hosting Notepad++ by Chinese APT group Lotus Blossom"
author = "X__Junior"
date = "2026-02-02"
reference = "https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/"
hash = "e2e3d78437cf9d48c2b2264e44bb36bc2235834fc45bbb50b5d6867f336711e3"
score = 80
strings:
$opa1 = { 8B 4D ?? C1 CF ?? C1 C1 ?? 03 F9 D1 C3 8B 4D ?? C1 C1 ?? 03 F9 03 FB 8B 5D ?? 69 CF ?? ?? ?? ?? BF ?? ?? ?? ?? 2B F9 EB }
$opa2 = { F7 E9 [0-1] 8B C2 C1 E8 ?? 03 C2 8D 0C 40 8A C3 34 ?? [0-2] 0F B6 [1-4] 0F B6 C3 8B 5D [1-3] 0F 45 D0 }
$opb1 = { 0F B6 84 35 ?? ?? ?? ?? 88 84 3D ?? ?? ?? ?? 88 8C 35 ?? ?? ?? ?? 0F B6 84 3D ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 03 C2 0F B6 C0 0F B6 84 05 ?? ?? ?? ?? 30 04 19 43 3B 9D ?? ?? ?? ?? 7C }
condition:
(1 of ($opa*) and $opb1)
or
all of ($opa*)
}
rule MAL_CobaltStrike_Beacon_Loader_Feb26 {
meta:
description = "Detects Cobalt Strike beacon loader"
author = "X__Junior"
date = "2026-02-02"
reference = "https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/"
hash = "0a9b8df968df41920b6ff07785cbfebe8bda29e6b512c94a3b2a83d10014d2fd"
hash = "b4169a831292e245ebdffedd5820584d73b129411546e7d3eccf4663d5fc5be3"
score = 80
strings:
$opa1 = { 45 33 C9 41 B8 ?? ?? ?? ?? 48 8D 94 24 ?? ?? ?? ?? 48 8D 4C 24 ?? E8 ?? ?? ?? ?? 48 8D 8C 24 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 66 89 44 24 ?? 41 B8 ?? ?? ?? ?? 48 8D 94 24 ?? ?? ?? ?? 0F B7 4C 24 ?? FF 15 ?? ?? ?? ?? 48 8D 8C 24 ?? ?? ?? ?? FF 15 }
$opa2 = { 4C 8D 4C 24 ?? 41 B8 ?? ?? ?? ?? BA ?? ?? ?? ?? 48 8D 8C 24 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 48 C7 44 24 ?? ?? ?? ?? ?? C7 44 24 ?? ?? ?? ?? ?? 48 8D 8C 24 ?? ?? ?? ?? 48 89 4C 24 ?? 4C 8D 0D ?? ?? ?? ?? 45 33 C0 33 D2 48 8B C8 FF 15 }
$opb1 = { 48 8D 89 ?? ?? ?? ?? 0F 10 00 0F 10 48 ?? 48 8D 80 ?? ?? ?? ?? 0F 11 41 ?? 0F 10 40 ?? 0F 11 49 ?? 0F 10 48 ?? 0F 11 41 ?? 0F 10 40 ?? 0F 11 49 ?? 0F 10 48 ?? 0F 11 41 ?? 0F 10 40 ?? 0F 11 49 ?? 0F 10 48 ?? 0F 11 41 ?? 0F 11 49 ?? 48 83 EA }
$opb2 = { 45 33 C9 48 89 84 24 ?? ?? ?? ?? 41 B8 18 00 00 00 C7 84 24 ?? ?? ?? ?? 03 00 00 00 48 8D 94 24 ?? ?? ?? ?? 48 89 BC 24 ?? ?? ?? ?? B9 B9 00 00 00 FF 15 }
condition:
uint16(0) == 0x5a4d and
all of ($opa*)
or all of ($opb*)
}
rule MAL_POC_Microsoft_Warbird_Loader_Feb26 {
meta:
description = "Detects a POC to turn Microsoft Warbird into a shellcode loader"
author = "X__Junior"
date = "2026-02-03"
reference = "https://cirosec.de/en/news/abusing-microsoft-warbird-for-shellcode-execution/"
hash = "29d0467ee452752286318f350ceb28a2b04ee4c6de550ba0edc34ae0fa7cbb03"
score = 75
strings:
$op = { fe af fe ca ef be ad de }
condition:
uint16(0) == 0x5a4d and $op
}
sources:
- query: |
SELECT *
FROM Artifact.Windows.Sys.Programs()
WHERE DisplayName =~ '''notepad\+\+'''
AND DisplayVersion =~ "8\.8\.[2-9]"
- name: Suspicious files
query: |
SELECT * FROM if(
condition=FileIoc,
then={
SELECT OSPath,
get(item=Data, field="mft") as Inode,
Mode.String AS Mode, Size,
Mtime AS MTime,
Atime AS ATime,
Btime AS BTime,
Ctime AS CTime,
magic(path=OSPath) as Magic,
hash(path=OSPath,hashselect='SHA1').SHA1 as SHA1,
authenticode(filename=OSPath) AS CetInfo,
parse_pe(file=OSPath) as PEInfo
FROM glob(globs=TargetGlobs.Glob,
accessor='ntfs')
})
- name: Chrysalis network indicators
query: |
SELECT * FROM if(
condition=NetworkMemory,
then={
SELECT *
FROM Artifact.Windows.Detection.Yara.Process(
YaraRule=NetworkYara,
NumberOfHits=1,
ContextBytes=250
)
})
- name: Warbird clipc.dll
query: |
SELECT * FROM if(
condition=Warbird,
then={
SELECT ProcessCreateTime,
Pid,Name,MappingName,
AddressRange,Type,
ProtectionMsg,
SectionSize,
YaraHit.Rule as Rule,
YaraHit.Offset as HitOffset,
YaraHit.Name as HitName,
HitContext,
ProcessChain
FROM Artifact.Windows.System.VAD(
MappingNameRegex='''clipc\.dll$''',
ProtectionRegex='xr-',
SuspiciousContent=WarbirdYara)
})
- name: Disk YARA
query: |
SELECT * FROM if(
condition=DiskYara,
then={
SELECT *
FROM Artifact.Windows.Detection.Yara.Glob(
PathGlob=DiskYaraGlob,
YaraRule=ChrysalisYara
)
})
column_types:
- name: HitContext
type: preview_upload