Last active
February 5, 2026 14:06
-
-
Save kkrypt0nn/fb64e9a117af5d3617374877966e5aaf to your computer and use it in GitHub Desktop.
A YARA rule to detect known samples by SHA-256 of the Chrysalis Backdoor (by Chinese APT Lotus Blossom) in the Notepad++ Hijack
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import "hash" | |
| rule NotepadPlusPlus_Hijack_Chrysalis_Known_Hashes | |
| { | |
| meta: | |
| description = "Detects known samples by SHA-256 of the Chrysalis Backdoor (by Chinese APT Lotus Blossom) in the Notepad++ Hijack" | |
| author = "Krypton (@kkrypt0nn)" | |
| date = "2026-02-02" | |
| source = "https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/" | |
| condition: | |
| hash.sha256(0, filesize) in ( | |
| "a511be5164dc1122fb5a7daa3eef9467e43d8458425b15a640235796006590c9", // update.exe | |
| "8ea8b83645fba6e23d48075a0d3fc73ad2ba515b4536710cda4f1f232718f53e", // NSIS.nsi | |
| "2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924", // BluetoothService.exe | |
| "77bfea78def679aa1117f569a35e8fd1542df21f7e00e27f192c907e61d63a2e", // BluetoothService | |
| "3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad", // log.dll | |
| "9276594e73cda1c69b7d265b3f08dc8fa84bf2d6599086b9acc0bb3745146600", // u.bat | |
| "f4d829739f2d6ba7e3ede83dad428a0ced1a703ec582fc73a4eee3df3704629a", // conf.c | |
| "4a52570eeaf9d27722377865df312e295a7a23c3b6eb991944c2ecd707cc9906", // libtcc.dll | |
| "831e1ea13a1bd405f5bda2b9d8f2265f7b1db6c668dd2165ccc8a9c4c15ea7dd", // admin | |
| "0a9b8df968df41920b6ff07785cbfebe8bda29e6b512c94a3b2a83d10014d2fd", // loader1 | |
| "4c2ea8193f4a5db63b897a2d3ce127cc5d89687f380b97a1d91e0c8db542e4f8", // uffhxpSy | |
| "e7cd605568c38bd6e0aba31045e1633205d0598c607a855e2e1bca4cca1c6eda", // loader2 | |
| "078a9e5c6c787e5532a7e728720cbafee9021bfec4a30e3c2be110748d7c43c5", // 3yzr31vk | |
| "b4169a831292e245ebdffedd5820584d73b129411546e7d3eccf4663d5fc5be3", // ConsoleApplication2.exe | |
| "7add554a98d3a99b319f2127688356c1283ed073a084805f14e33b4f6a6126fd", // system | |
| "fcc2765305bcd213b7558025b2039df2265c3e0b6401e4833123c461df2de51a" // s047t5g.exe | |
| ) | |
| } |
Author
syntax error, unexpected , expecting '}'
Yara 4.5.2 on Debian / 4.5.5 on Win11
Apologies for the mistake, I first had
hash.sha256(0, filesize) == "a511be5164dc1122fb5a7daa3eef9467e43d8458425b15a640235796006590c9" or
....
for every hash, then read about in and thought I tested it...
I've updated the Gist as well as the repository which contains updated data as well, completely forgot I had that Gist setup -> https://github.com/kkrypt0nn/yara-rules/blob/main/rules/malware/APT_Lotus_Blossom_Chrysalis_Backdoor.yar
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
syntax error, unexpected , expecting '}'
Yara 4.5.2 on Debian / 4.5.5 on Win11