"Early Monday, the text editor's project author said a suspected Chinese state-sponsored group somehow compromised a shared hosting server and selectively redirected some update traffic to an attacker-controlled site where victims downloaded a poisoned version of what appeared to be a legit software update. Later on Monday, Rapid7's managed detection and response team attributed the attack "with moderate confidence" to the Chinese advanced persistent threat (APT) group they call Lotus Blossom."
"While it's still unclear exactly how the miscreants gained initial access to Notepad++'s distribution infrastructure, once inside they abused that access to deliver a trojanized update in the form of an NSIS installer, a packaging format commonly abused by Chinese APT groups to deliver initial payloads. The installer contained an executable file named "BluetoothService.exe," which is a renamed legitimate Bitdefender Submission Wizard abused for DLL sideloading - another favorite technique among Beijing-backed spies to deliver custom implants."
Lotus Blossom, a Chinese government-linked espionage crew, hijacked Notepad++ update delivery to install a newly identified backdoor named Chrysalis in targeted networks. Attackers compromised a shared hosting server and selectively redirected some update traffic to an attacker-controlled site, causing victims to download a trojanized NSIS installer. The NSIS package included a renamed Bitdefender Submission Wizard executable, BluetoothService.exe, abused for DLL sideloading to load custom implants. The campaign focuses on government, telecom, aviation, critical infrastructure, and media organizations across Southeast Asia and Central America. The initial access vector into Notepad++'s distribution infrastructure remains unclear.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]