kkrypt0nn · February 5, 2026 14:06 · Feb 5, 2026 · Feb 3, 2026
diff --git a/APT_Lotus_Blossom_Chrysalis_Backdoor.yar b/APT_Lotus_Blossom_Chrysalis_Backdoor.yar
@@ -6,25 +6,39 @@ rule NotepadPlusPlus_Hijack_Chrysalis_Known_Hashes
         description = "Detects known samples by SHA-256 of the Chrysalis Backdoor (by Chinese APT Lotus Blossom) in the Notepad++ Hijack"
         author = "Krypton (@kkrypt0nn)"
         date = "2026-02-02"
-        source = "https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/"
+        updated = "2026-02-05"
+        source = "https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/,https://securelist.com/notepad-supply-chain-attack/118708/,https://notepad-plus-plus.org/assets/data/IoCFromFormerHostingProvider.txt"
 
     condition:
-        hash.sha256(0, filesize) in (
-            "a511be5164dc1122fb5a7daa3eef9467e43d8458425b15a640235796006590c9", // update.exe
-            "8ea8b83645fba6e23d48075a0d3fc73ad2ba515b4536710cda4f1f232718f53e", // NSIS.nsi
-            "2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924", // BluetoothService.exe
-            "77bfea78def679aa1117f569a35e8fd1542df21f7e00e27f192c907e61d63a2e", // BluetoothService
-            "3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad", // log.dll
-            "9276594e73cda1c69b7d265b3f08dc8fa84bf2d6599086b9acc0bb3745146600", // u.bat
-            "f4d829739f2d6ba7e3ede83dad428a0ced1a703ec582fc73a4eee3df3704629a", // conf.c
-            "4a52570eeaf9d27722377865df312e295a7a23c3b6eb991944c2ecd707cc9906", // libtcc.dll
-            "831e1ea13a1bd405f5bda2b9d8f2265f7b1db6c668dd2165ccc8a9c4c15ea7dd", // admin
-            "0a9b8df968df41920b6ff07785cbfebe8bda29e6b512c94a3b2a83d10014d2fd", // loader1
-            "4c2ea8193f4a5db63b897a2d3ce127cc5d89687f380b97a1d91e0c8db542e4f8", // uffhxpSy
-            "e7cd605568c38bd6e0aba31045e1633205d0598c607a855e2e1bca4cca1c6eda", // loader2
-            "078a9e5c6c787e5532a7e728720cbafee9021bfec4a30e3c2be110748d7c43c5", // 3yzr31vk
-            "b4169a831292e245ebdffedd5820584d73b129411546e7d3eccf4663d5fc5be3", // ConsoleApplication2.exe
-            "7add554a98d3a99b319f2127688356c1283ed073a084805f14e33b4f6a6126fd", // system
-            "fcc2765305bcd213b7558025b2039df2265c3e0b6401e4833123c461df2de51a"  // s047t5g.exe
-        )
+        hash.sha256(0, filesize) == "a511be5164dc1122fb5a7daa3eef9467e43d8458425b15a640235796006590c9" or // update.exe
+        hash.sha256(0, filesize) == "36c98c18215a244e501673d9f01fa093d1906d08a7ad9927905f8f004640e4e1" or // updater_1.exe
+        hash.sha256(0, filesize) == "51266007c039ab80dbe9a2c38ed75759d954458d8864a0429c71e87be2bddce2" or // updater_2.exe
+        hash.sha256(0, filesize) == "69caa18ec5e86cf3a7376f3a9a08d118cbade608432dc262ba6c7fe692da7d33" or // updater_3.exe
+        hash.sha256(0, filesize) == "a3cf1c86731703043b3614e085b9c8c224d4125370f420ad031ad63c14d6c3ec" or // updater_4.exe
+        hash.sha256(0, filesize) == "798fd7c2a2d4f0865aec808962489b39f995961e38e2bebda8f84ddc5a935d86" or // updater_5.exe
+        hash.sha256(0, filesize) == "4d4aec6120290e21778c1b14c94aa6ebff3b0816fb6798495dc2eae165db4566" or // updater_6.exe
+        hash.sha256(0, filesize) == "8ea8b83645fba6e23d48075a0d3fc73ad2ba515b4536710cda4f1f232718f53e" or // NSIS.nsi
+        hash.sha256(0, filesize) == "2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924" or // BluetoothService.exe, legitimate executable used for DLL sideloading
+        hash.sha256(0, filesize) == "77bfea78def679aa1117f569a35e8fd1542df21f7e00e27f192c907e61d63a2e" or // BluetoothService
+        hash.sha256(0, filesize) == "3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad" or // log.dll
+        hash.sha256(0, filesize) == "9276594e73cda1c69b7d265b3f08dc8fa84bf2d6599086b9acc0bb3745146600" or // u.bat
+        hash.sha256(0, filesize) == "f4d829739f2d6ba7e3ede83dad428a0ced1a703ec582fc73a4eee3df3704629a" or // conf.c
+        hash.sha256(0, filesize) == "4a52570eeaf9d27722377865df312e295a7a23c3b6eb991944c2ecd707cc9906" or // libtcc.dll
+        hash.sha256(0, filesize) == "831e1ea13a1bd405f5bda2b9d8f2265f7b1db6c668dd2165ccc8a9c4c15ea7dd" or // admin
+        hash.sha256(0, filesize) == "0a9b8df968df41920b6ff07785cbfebe8bda29e6b512c94a3b2a83d10014d2fd" or // loader1
+        hash.sha256(0, filesize) == "e7cd605568c38bd6e0aba31045e1633205d0598c607a855e2e1bca4cca1c6eda" or // loader2
+        hash.sha256(0, filesize) == "c7cc87ef3829a33b7f178d88a71ba548c37020005b09d16a76fcd356621335e6" or // load_1
+        hash.sha256(0, filesize) == "26256ea1a345b788dd303f5621b5028cf572b733793039c8ee1e5c481113bd09" or // load_2
+        hash.sha256(0, filesize) == "4c2ea8193f4a5db63b897a2d3ce127cc5d89687f380b97a1d91e0c8db542e4f8" or // uffhxpSy
+        hash.sha256(0, filesize) == "078a9e5c6c787e5532a7e728720cbafee9021bfec4a30e3c2be110748d7c43c5" or // 3yzr31vk
+        hash.sha256(0, filesize) == "b4169a831292e245ebdffedd5820584d73b129411546e7d3eccf4663d5fc5be3" or // ConsoleApplication2.exe
+        hash.sha256(0, filesize) == "7add554a98d3a99b319f2127688356c1283ed073a084805f14e33b4f6a6126fd" or // system
+        hash.sha256(0, filesize) == "fcc2765305bcd213b7558025b2039df2265c3e0b6401e4833123c461df2de51a" or // s047t5g.exe
+        hash.sha256(0, filesize) == "8553557bcdba966b30066aabde974223413a1720da31a616ff52240746a8c6da" or // alien_1.ini
+        hash.sha256(0, filesize) == "8e7a15c402b4f34b57185e07718cd6511a39a66045792174d21d832d17db2204" or // alien_2.ini
+        hash.sha256(0, filesize) == "f5340ac6ca5cc3ee60d8ffb169bf433aa89fab13a5fa13adabd44ac405c0f731" or // alien_3.ini
+        hash.sha256(0, filesize) == "02368c6b62cb392dddd35cfc6cb8c1154f7ebdceb9fb559cefc301982d6fbbf9" or // .in.compat1.php
+        hash.sha256(0, filesize) == "0dcd846cdfdc793fab39a3c9860e0f6ab68cdbdcf4b03a87e8a02df0d3e1249f" or // index1.php
+        hash.sha256(0, filesize) == "5dd766a7a378c97eb8c9fe9a4bff678e3c9a05386911f4296e094407b99c23d2" or // index.php
+        hash.sha256(0, filesize) == "6a7a8aa91109c25d57fe2ca71c150ca09afc1bf10c98376adf959dbc91010394"  // suo5.php
 }
diff --git a/APT_Lotus_Blossom_Chrysalis_Backdoor.yar b/APT_Lotus_Blossom_Chrysalis_Backdoor.yar
@@ -0,0 +1,30 @@
+import "hash"
+
+rule NotepadPlusPlus_Hijack_Chrysalis_Known_Hashes
+{
+    meta:
+        description = "Detects known samples by SHA-256 of the Chrysalis Backdoor (by Chinese APT Lotus Blossom) in the Notepad++ Hijack"
+        author = "Krypton (@kkrypt0nn)"
+        date = "2026-02-02"
+        source = "https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/"
+
+    condition:
+        hash.sha256(0, filesize) in (
+            "a511be5164dc1122fb5a7daa3eef9467e43d8458425b15a640235796006590c9", // update.exe
+            "8ea8b83645fba6e23d48075a0d3fc73ad2ba515b4536710cda4f1f232718f53e", // NSIS.nsi
+            "2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924", // BluetoothService.exe
+            "77bfea78def679aa1117f569a35e8fd1542df21f7e00e27f192c907e61d63a2e", // BluetoothService
+            "3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad", // log.dll
+            "9276594e73cda1c69b7d265b3f08dc8fa84bf2d6599086b9acc0bb3745146600", // u.bat
+            "f4d829739f2d6ba7e3ede83dad428a0ced1a703ec582fc73a4eee3df3704629a", // conf.c
+            "4a52570eeaf9d27722377865df312e295a7a23c3b6eb991944c2ecd707cc9906", // libtcc.dll
+            "831e1ea13a1bd405f5bda2b9d8f2265f7b1db6c668dd2165ccc8a9c4c15ea7dd", // admin
+            "0a9b8df968df41920b6ff07785cbfebe8bda29e6b512c94a3b2a83d10014d2fd", // loader1
+            "4c2ea8193f4a5db63b897a2d3ce127cc5d89687f380b97a1d91e0c8db542e4f8", // uffhxpSy
+            "e7cd605568c38bd6e0aba31045e1633205d0598c607a855e2e1bca4cca1c6eda", // loader2
+            "078a9e5c6c787e5532a7e728720cbafee9021bfec4a30e3c2be110748d7c43c5", // 3yzr31vk
+            "b4169a831292e245ebdffedd5820584d73b129411546e7d3eccf4663d5fc5be3", // ConsoleApplication2.exe
+            "7add554a98d3a99b319f2127688356c1283ed073a084805f14e33b4f6a6126fd", // system
+            "fcc2765305bcd213b7558025b2039df2265c3e0b6401e4833123c461df2de51a"  // s047t5g.exe
+        )
+}
No results found