{"id":10352,"date":"2026-02-03T10:03:44","date_gmt":"2026-02-03T10:03:44","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/02\/03\/notepad-hack-detailed-along-with-the-iocs-and-custom-malware-used\/"},"modified":"2026-02-03T10:03:44","modified_gmt":"2026-02-03T10:03:44","slug":"notepad-hack-detailed-along-with-the-iocs-and-custom-malware-used","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/02\/03\/notepad-hack-detailed-along-with-the-iocs-and-custom-malware-used\/","title":{"rendered":"Notepad++ Hack Detailed Along With the IoCs and Custom Malware Used"},"content":{"rendered":"<p>    Notepad++ Hack Detailed Along With the IoCs and Custom Malware Used<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>A sophisticated espionage campaign attributed to the Chinese Advanced Persistent Threat (APT) group Lotus Blossom (also known as Billbug).<\/p>\n<p>The threat actors compromised the infrastructure hosting the popular <a href=\"https:\/\/cybersecuritynews.com\/hackers-hijacked-notepad-plugin\/\" target=\"_blank\" rel=\"noreferrer noopener\">text editor Notepad++<\/a> to deliver a custom, previously undocumented backdoor named \u201cChrysalis\u201d.<\/p>\n<p>This campaign, discovered by Rapid7 researcher Ivan Feigl, primarily targets organizations in the government, telecommunications, aviation, and critical infrastructure sectors across Southeast Asia and Central America.<\/p>\n<p>The investigation began with a security incident stemming from the execution of a malicious file named <em>update[.]exe<\/em>, which was downloaded from a suspicious IP address (<em>95.179.213[.]0<\/em>) following the legitimate execution of <em>notepad++<em>[.]<\/em>exe<\/em> and <em>GUP<em>[.]<\/em>exe<\/em> (the generic updater for Notepad++)<\/p>\n<p> Forensic analysis revealed that <em>update<em>[.]<\/em>exe<\/em> is an NSIS installer, a tool frequently abused by Chinese APTs for initial payload delivery.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjQrH4GL2Roybq_susGUSrS8J3T0i6-eqeBKDr_7Skzn0vvDelDpgPUHMW4ABOM4uZeblqcQGD0jB0_DVJqglDw6wAhdN5MQMUDVbhFYulSWN2ViAYpuyGPivoLqg021s42sHYTdNXFqaSufEs8-MeWiC_H_-p_RS6N6aS8DETas0o85Oc11MlCCkhWks17\/s16000\/Notepad%2B%2B%2520Hack%2520chain.webp?ssl=1\" alt=\"\"><figcaption class=\"wp-element-caption\">Attack Chain (Source: Rapid7)<\/figcaption><\/figure>\n<\/div>\n<p>Upon execution, the installer creates a hidden directory in the <code>%AppData%<\/code> folder named \u201cBluetooth\u201d and drops several files, including <code>BluetoothService.exe<\/code> and <code>log.dll<\/code>.<\/p>\n<p>The executable <code>BluetoothService.exe<\/code> is actually a renamed, legitimate Bitdefender Submission Wizard binary. The attackers utilize this legitimate file to perform DLL sideloading, forcing it to load the malicious <code>log.dll<\/code> instead of the genuine library.<\/p>\n<h2 class=\"wp-block-heading\" id=\"the-chrysalis-backdoor\"><strong>The Chrysalis Backdoor<\/strong><\/h2>\n<p>Once loaded, <code>log.dll<\/code> decrypts and executes a shellcode payload the Chrysalis backdoor. This malware is a sophisticated, feature-rich implant designed for long-term persistence rather than simple \u201csmash-and-grab\u201d operations, Rapid7 <a href=\"https:\/\/www.rapid7.com\/blog\/post\/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">observed<\/a>.<\/p>\n<p>Chrysalis employs several advanced evasion techniques:<\/p>\n<ul class=\"wp-block-list\">\n<li>\n<strong>Custom Encryption:<\/strong> It uses a linear congruential generator for decryption rather than standard cryptographic APIs, making it harder for automated tools to flag.<\/li>\n<li>\n<strong>API Hashing:<\/strong> The malware resolves necessary Windows APIs using a custom hashing algorithm (FNV-1a combined with a MurmurHash-style finalizer) to evade static analysis and antivirus detection.<\/li>\n<li>\n<strong>C2 Communication:<\/strong> The backdoor communicates with its <a href=\"https:\/\/cybersecuritynews.com\/command-and-controlc2-server\/\" target=\"_blank\" rel=\"noreferrer noopener\">Command and Control (C2) server<\/a> (<code>api.skycloudcenter.com<\/code>) over HTTPS. Notably, the C2 URL structure mimics the Deepseek API endpoints (e.g., <code>\/a\/chat\/s\/{GUID}<\/code>), likely an attempt to blend in with legitimate AI-related network traffic.<\/li>\n<\/ul>\n<p>Chrysalis is highly versatile, supporting 16 different commands controlled by a switch statement in the code. Key capabilities include:<\/p>\n<ul class=\"wp-block-list\">\n<li>\n<strong>Interactive Shell:<\/strong> Spawning a fully interactive reverse shell via <code>cmd.exe<\/code> (Switch <code>4T<\/code>).<\/li>\n<li>\n<strong>File Operations:<\/strong> Reading, writing, and deleting files, as well as enumerating directory contents (Switches <code>4W<\/code>, <code>4X<\/code>, <code>4Y<\/code>).<\/li>\n<li>\n<strong>Process Execution:<\/strong> Launching remote processes (Switch <code>4V<\/code>).<\/li>\n<li>\n<strong>Self-Removal:<\/strong> A \u201ccleanup\u201d mode that removes persistence artifacts and deletes the malware from the disk (Switch <code>4<\/code>).<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\" id=\"advanced-loading-with-microsoft-warbird\"><strong>Advanced Loading with Microsoft Warbird<\/strong><\/h2>\n<p>Beyond Chrysalis, researchers discovered a loader variant (<code>ConsoleApplication2.exe<\/code>) that leverages Microsoft Warbird, a complex code protection framework, to hide its execution flow.<\/p>\n<p>This loader abuses the <code>NtQuerySystemInformation<\/code> system call with the undocumented <code>SystemCodeFlowTransition<\/code> (0xB9) class.<\/p>\n<p>By copying encrypted data into the memory of a Microsoft-signed binary (<code>clipc.dll<\/code>) and invoking this specific system call, the loader triggers the Warbird mechanism to decrypt and execute the shellcode in the kernel context.<\/p>\n<p>This technique effectively bypasses user-mode hooks and standard <a href=\"https:\/\/cybersecuritynews.com\/best-edr-tools\/\" target=\"_blank\" rel=\"noreferrer noopener\">EDR monitoring<\/a>, marking a significant evolution in Billbug\u2019s tradecraft.<\/p>\n<p>The campaign is attributed to Lotus Blossom with moderate confidence, based on the specific use of the Bitdefender sideloading technique and shared cryptographic keys found in the Cobalt Strike beacons deployed alongside Chrysalis.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Indicators of Compromise (IoCs)<\/strong><\/h2>\n<p>Here are the Indicators of Compromise (IoCs) and MITRE ATT&amp;CK TTPs associated with the Lotus Blossom campaign and the Chrysalis backdoor.<\/p>\n<h3 class=\"wp-block-heading\"><strong>File Indicators<\/strong><\/h3>\n<figure class=\"wp-block-table is-style-stripes\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th class=\"has-text-align-left\" data-align=\"left\">File Name<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">SHA-256 Hash<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Description<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>update.exe<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\"><code>a511be5164dc1122fb5a7daa3eef9467e43d8458425b15a640235796006590c9<\/code><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Malicious NSIS Installer used for initial payload delivery<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>[NSIS.nsi]<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\"><code>8ea8b83645fba6e23d48075a0d3fc73ad2ba515b4536710cda4f1f232718f53e<\/code><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Extracted NSIS installation script<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>BluetoothService.exe<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\"><code>2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924<\/code><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Renamed Bitdefender Submission Wizard (legitimate binary abused for sideloading) <\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>BluetoothService<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\"><code>77bfea78def679aa1117f569a35e8fd1542df21f7e00e27f192c907e61d63a2e<\/code><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Encrypted shellcode file <\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>log.dll<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\"><code>3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad<\/code><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Malicious DLL sideloaded by BluetoothService.exe <\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>u.bat<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\"><code>9276594e73cda1c69b7d265b3f08dc8fa84bf2d6599086b9acc0bb3745146600<\/code><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Temporary batch file used for self-deletion\/cleanup<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>conf.c<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\"><code>f4d829739f2d6ba7e3ede83dad428a0ced1a703ec582fc73a4eee3df3704629a<\/code><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">C source file containing shellcode bytes (Metasploit block API)<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>libtcc.dll<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\"><code>4a52570eeaf9d27722377865df312e295a7a23c3b6eb991944c2ecd707cc9906<\/code><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Library for Tiny C Compiler, used to compile\/run <code>conf.c<\/code> <\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>admin<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\"><code>831e1ea13a1bd405f5bda2b9d8f2265f7b1db6c668dd2165ccc8a9c4c15ea7dd<\/code><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">File retrieved from <code>api.wiresguard.com<\/code>, related to second-stage shellcode <\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>loader1<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\"><code>0a9b8df968df41920b6ff07785cbfebe8bda29e6b512c94a3b2a83d10014d2fd<\/code><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Variant loader sample found in public repositories<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>uffhxpSy<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\"><code>4c2ea8193f4a5db63b897a2d3ce127cc5d89687f380b97a1d91e0c8db542e4f8<\/code><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Shellcode associated with Loader 1 <\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>loader2<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\"><code>e7cd605568c38bd6e0aba31045e1633205d0598c607a855e2e1bca4cca1c6eda<\/code><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Variant loader sample found in public repositories <\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>3yzr31vk<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\"><code>078a9e5c6c787e5532a7e728720cbafee9021bfec4a30e3c2be110748d7c43c5<\/code><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Shellcode associated with Loader 2<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>ConsoleApplication2.exe<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\"><code>b4169a831292e245ebdffedd5820584d73b129411546e7d3eccf4663d5fc5be3<\/code><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Loader 3; uses Microsoft Warbird for shellcode execution<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>system<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\"><code>7add554a98d3a99b319f2127688356c1283ed073a084805f14e33b4f6a6126fd<\/code><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Shellcode associated with ConsoleApplication2.exe <\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>s047t5g.exe<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\"><code>fcc2765305bcd213b7558025b2039df2265c3e0b6401e4833123c461df2de51a<\/code><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Loader 4; variant sample sharing shellcode with Loader 3<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<h3 class=\"wp-block-heading\"><strong>Network Indicators<\/strong><\/h3>\n<figure class=\"wp-block-table is-style-stripes\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th class=\"has-text-align-left\" data-align=\"left\">Indicator<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Type<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Context<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>95.179.213.0<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">IP Address<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Host for <code>update.exe<\/code> download <\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>api.skycloudcenter.com<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Domain<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Chrysalis Backdoor C2 <\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>api.wiresguard.com<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Domain<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Cobalt Strike Beacon C2 <\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>61.4.102.97<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">IP Address<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Resolution for <code>api.skycloudcenter.com<\/code> (Malaysia)<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>59.110.7.32<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">IP Address<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">C2 IP associated with Loader 1 <\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>124.222.137.114<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">IP Address<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">C2 IP associated with Loader 2<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<h3 class=\"wp-block-heading\"><strong>MITRE ATT&amp;CK TTPs<\/strong><\/h3>\n<figure class=\"wp-block-table is-style-stripes\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th class=\"has-text-align-left\" data-align=\"left\">ATT&amp;CK ID<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Name<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>T1204.002<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">User Execution: Malicious File <\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>T1036<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Masquerading <\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>T1027<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Obfuscated Files or Information <\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>T1027.007<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Obfuscated Files or Information: Dynamic API Resolution <\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>T1140<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Deobfuscate\/Decode Files or Information <\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>T1574.002<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">DLL Side-Loading<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>T1106<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Native API <\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>T1055<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Process Injection <\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>T1620<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Reflective Code Loading <\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>T1059.003<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Command and Scripting Interpreter: Windows Command Shell <\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>T1083<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">File and Directory Discovery <\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>T1005<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Data from Local System <\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>T1105<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Ingress Tool Transfer <\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>T1041<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Exfiltration Over C2 Channel <\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>T1071.001<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Application Layer Protocol: Web Protocols (HTTP\/HTTPS) <\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>T1573<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Encrypted Channel <\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>T1547.001<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Boot or Logon Autostart Execution: Registry Run Keys <\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>T1543.003<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Create or Modify System Process: Windows Service <\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>T1480.002<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Execution Guardrails: Mutual Exclusion <\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>T1070.004<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Indicator Removal on Host: File Deletion <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 94%,rgb(169,184,195) 100%)\"><strong>Follow us on <a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>, <a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>, and <a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a> for daily cybersecurity updates. <a href=\"https:\/\/cybersecuritynews.com\/contact-us\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Contact us<\/a> to feature your stories.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/notepad-hack\/\">Notepad++ Hack Detailed Along With the IoCs and Custom Malware Used<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Guru Baran<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/notepad-hack\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Notepad++ Hack Detailed Along With the IoCs and Custom Malware Used A sophisticated espionage campaign attributed to the Chinese Advanced Persistent Threat (APT) group Lotus Blossom (also known as Billbug). The threat actors compromised the infrastructure hosting the popular text editor Notepad++ to deliver a custom, previously undocumented backdoor named \u201cChrysalis\u201d. This campaign, discovered by [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1636,129,63],"tags":[130],"class_list":["post-10352","post","type-post","status-publish","format-standard","hentry","category-cyber-attack-news","category-cyber-security","category-cyber-security-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10352"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=10352"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10352\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=10352"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=10352"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=10352"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}