The Chrysalis Backdoor: Vulnerable Notepad++ Updater Abuse by a Chinese APT Campaign

Rapid7 Labs uncovered a sophisticated espionage campaign featuring a new custom backdoor dubbed "Chrysalis" that was delivered through compromised Notepad++ distribution infrastructure. The attack chain begins with an NSIS installer that deploys multiple components including a renamed legitimate Bitdefender executable used for DLL sideloading, which then loads and executes encrypted shellcode. The malware employs multiple layers of obfuscation including custom decryption routines, API hashing techniques, and string obfuscation to evade detection. Chrysalis establishes persistence through Windows services or registry modifications and communicates with command-and-control servers using encrypted channels that mimic legitimate API traffic patterns.

The backdoor provides comprehensive remote access capabilities including interactive shell execution, file system operations, process creation, and data exfiltration. Additional artifacts discovered during the investigation revealed the use of a Tiny-C-Compiler to execute Metasploit shellcode that downloads Cobalt Strike beacons, demonstrating a multi-tool approach. One particularly notable loader variant utilizes Microsoft's undocumented Warbird code protection framework through the NtQuerySystemInformation system call to execute shellcode within the memory space of legitimate Microsoft-signed binaries. The campaign also includes various loader variants that deploy Cobalt Strike beacons with consistent infrastructure patterns and shared cryptographic keys, indicating coordinated operations across multiple attack vectors.