Analytics Story: Lotus Blossom Chrysalis Backdoor

Date: 2026-02-03 ID: 4c58f09f-f76f-4261-bbf8-3be406d2fbad Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate activities related to Lotus Blossom's Chrysalis backdoor supply chain attack. Monitor for DLL side-loading abuse of Bitdefender Submission Wizard, TinyCC shellcode execution with suspicious command-line flags, BluetoothService persistence in user directories, and system information collection via whoami/systeminfo commands. Investigate unusual process execution patterns, NSIS installer deployments to suspicious paths, and malicious service installations. Combining behavioral detections with threat intelligence enables early identification of Lotus Blossom tradecraft, including custom loaders, Microsoft Warbird abuse, and C2 communications mimicking legitimate API traffic patterns.

Why it matters

Lotus Blossom (Billbug) is a Chinese APT group active since 2009, targeting government, telecom, aviation, and critical infrastructure sectors across Southeast Asia and Central America. In June 2025, the group compromised Notepad++ hosting provider infrastructure, redirecting update traffic to malicious servers until December 2025. Kaspersky and Rapid7 identified three distinct infection chains delivering the custom Chrysalis backdoor. Chain #1 exploited ProShow software vulnerability to launch Metasploit downloaders. Chain #2 abused Lua interpreter to execute shellcode via EnumWindowStationsW. Chain #3 deployed DLL side-loading using renamed Bitdefender Submission Wizard (BluetoothService.exe) to load encrypted shellcode. All chains collected system information via whoami, tasklist, systeminfo, and netstat commands, exfiltrating results to temp.sh hosting service. Alternative loaders include TinyCC abuse for shellcode compilation and Microsoft Warbird exploitation. The malware establishes persistence through Windows services while C2 communications mimic legitimate API traffic. Victims included government organizations in the Philippines, financial institutions in El Salvador, and IT service providers in Vietnam. Lotus Blossom also deploys Cobalt Strike beacons and Metasploit shellcode as secondary payloads. Splunk ESCU provides detection coverage for these commodity frameworks in the Cobalt Strike and Compromised Windows Host analytic stories.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
System Information Discovery Detection	System Information Discovery	TTP
System User Discovery With Whoami	System Owner/User Discovery	Anomaly
Windows BitDefender Submission Wizard DLL Sideloading	Hijack Execution Flow	TTP
Windows Bluetooth Service Installed From Uncommon Location	Windows Service, Masquerading	Anomaly
Windows Rundll32 Execution With Log.DLL	Hijack Execution Flow	Anomaly
Windows TinyCC Shellcode Execution	Windows Command Shell, Obfuscated Files or Information, Masquerading	TTP
Windows Wmic Systeminfo Discovery	System Information Discovery	Anomaly

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
CrowdStrike ProcessRollup2	Other	`crowdstrike:events:sensor`	`crowdstrike`
Sysmon EventID 1	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 7	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4688	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`
Windows Event Log System 7045	Windows	`XmlWinEventLog`	`XmlWinEventLog:System`

References

Source: GitHub | Version: 1