Listen to this Post

Introduction:
The software supply chain remains a critical attack vector for advanced persistent threat (APT) groups. In early 2026, the Chinese-linked APT Lotus Blossom (also tracked as Chrysalis) successfully compromised the popular Notepad++ text editor, embedding a sophisticated backdoor to target developers and enterprises. This article dissects the technical indicators of compromise (IOCs) and provides a comprehensive, actionable guide for security teams to hunt for this threat within their Splunk SIEM environments, leveraging publicly shared detection searches.
Learning Objectives:
- Understand the infection chain and key persistence mechanisms of the Lotus Blossom (Chrysalis) backdoor deployed via Notepad++.
- Implement and customize advanced Splunk correlation searches covering file, process, registry, and network IOCs.
- Apply YARA rule logic within a SIEM context to detect known malware samples and related behavioral patterns.
You Should Know:
- Anatomy of the Compromise: Initial Access and Persistence
The attack leveraged the official Notepad++ update mechanism (GUP.exe), a classic supply chain tactic. The malicious payload was fetched and executed, leading to the deployment of a loader (often a malicious DLL) and the final Chrysalis backdoor. Persistence was achieved through methods like scheduled tasks, registry run keys, and DLL side-loading from deceptive directories such as `AppData\Roaming\ProShow\` orAdobe\Scripts\.
Step‑by‑step guide explaining what this does and how to use it.
To manually investigate these artifacts on a Windows endpoint, use the following commands:
Check for suspicious scheduled tasks schtasks /query /fo LIST /v | findstr /i "ProShow Adobe Bluetooth" Examine registry auto-start locations reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" reg query "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run" List files in suspicious directories from a command line dir /s /a %APPDATA%\ProShow\ dir /s /a %APPDATA%\Adobe\Scripts\ dir /s /a %LOCALAPPDATA%\Microsoft\Windows\USOShared\
In Splunk, the provided searches (1-15) automate this hunt by correlating Sysmon Event ID 11 (FileCreate) and Event ID 1 (ProcessCreation) from these paths with registry modifications (Event ID 12,13) and scheduled task creation.
- From Hashes to Behavior: Implementing YARA Logic in Splunk
Static file hashes are low-noise IOCs but can be evaded. The detection pack translates YARA rules from signature-base repositories into behavioral Splunk searches. These look for the execution pattern of the malware, such as specific DLL side-loading sequences, process injection, and connections to C2 infrastructure initiated by spawned processes.
Step‑by‑step guide explaining what this does and how to use it.
The searches (16-24) use the `tstats` command with the CIM Data Model for efficiency. To leverage this, ensure your Splunk environment has the Common Information Model (CIM) compliant add-ons installed and data is correctly normalized. For example, a search might look for a process creating a child `rundll32.exe` from a suspicious path. You can test YARA rules locally on a suspected file using the command line:
On Linux, with yara installed yara -r <compiled_rules_file> <suspected_directory> On Windows, using Thor Lite (Fast IR Scanner) or similar thor-lite.exe --yara <rules_file> --target <path>
The Splunk searches effectively replicate this logic by matching known malicious SHA256 hashes and the behavioral chain described in the YARA rules.
3. Network-Based Detection: Hunting C2 Communication
The Lotus Blossom infrastructure utilized cloud providers like Vultr, Alibaba, and Tencent Cloud, with typosquatted domains (e.g., WireGuard variants). Network detection is crucial for identifying compromised systems that have evaded host-based controls.
Step‑by‑step guide explaining what this does and how to use it.
Searches 25-39 cover multiple data sources: firewall logs (OPNsense, ZenArmor), DNS queries, proxy logs, and SSL/TLS inspection logs (checking for suspicious SNI fields). To implement these, you must ensure your Splunk forwarders are ingesting this network data. A critical IOC is the `GUP.exe` (Notepad++ updater) making anomalous HTTP POST requests to unknown IPs. You can simulate a network query from a potential infected host using `curl` to check for beaconing:
Linux/Windows (in Command Prompt): Check if a suspicious IP is responsive (for investigation only, be cautious) curl -v -s -o /dev/null http://<SUSPECT_C2_IP>:<port> -A "Notepad++ Updater"
In your Splunk search, you would look for `sourcetype=proxy` or `sourcetype=stream:dns` and filter for the known C2 IPs/domains or anomalous User-Agent strings associated with the updater.
4. Building a Cohesive Detection Strategy: Correlation Searches
Isolated IOCs can be missed. The true power of this pack lies in its use of Splunk’s correlation capabilities. For instance, linking a file creation in `USOShared` with a subsequent outbound connection to a Tencent Cloud IP within a 5-minute window creates a high-fidelity alert.
Step‑by‑step guide explaining what this does and how to use it.
Create a custom correlation search using Splunk’s Transaction or `stats` commands. An example SPL skeleton:
index=windows (EventCode=11 FilePath="USOShared\.dll") OR (EventCode=3 DestinationIp="185.199.xx.xx") | transaction host maxspan=5m | where eventcount>1
This search would find hosts where a suspicious DLL was dropped and a connection to a known C2 IP occurred within a short timeframe. Integrate these correlated alerts into your SOC’s runbooks for immediate triage.
5. Hardening the Environment: Proactive Mitigation Steps
Detection is reactive; mitigation is proactive. Beyond hunting, organizations must implement controls to prevent similar supply chain attacks.
Step‑by‑step guide explaining what this does and how to use it.
– Application Allowlisting: Use Windows AppLocker or similar to restrict execution from `%APPDATA%` and `%LOCALAPPDATA%` for standard users.
Example AppLocker rule via PowerShell (Context: Creation of a deny rule for a path) New-AppLockerPolicy -RuleType Path -Action Deny -User Everyone -Path "%APPDATA%.exe" -Name "Block EXE from AppData"
– Network Segmentation: Restrict outbound traffic from developer workstations and build servers to only necessary repositories and services, limiting C2 callbacks.
– Update Policy: Implement a managed and verified software update process, disabling built-in updaters for critical tools like Notepad++ in favor of enterprise-deployed, hash-verified versions.
What Undercode Say:
- The Modern SOC is a Hunting Lodge: The shift from pure alerting to proactive hunting, using frameworks like MITRE ATT&CK and shared detection logic as seen here, is non-negotiable. This pack turns a blog post IOC list into operationalized intelligence.
- Supply Chain is the New Perimeter: This attack underscores that the trust placed in software vendors is a primary attack surface. Security programs must extend their visibility and controls deep into the software development and update lifecycle.
Analysis: The value of Damien’s shared Splunk pack cannot be overstated. It demonstrates a mature security practice—translating threat intelligence into immediate, platform-specific detection logic. This drastically reduces the time from IOC publication to operational deployment for Splunk users worldwide. The inclusion of both raw SPL and CIM-optimized (tstats) versions showcases an understanding of performance at scale. However, defenders must remember that these searches are a snapshot; APT groups constantly evolve. These detections should be the baseline from which custom, environment-specific behavioral analytics are built, particularly around abnormal `GUP.exe` or `msiexec` network activity.
Prediction:
Supply chain attacks targeting ubiquitous, trust-worthy developer tools will accelerate, increasingly leveraging AI-generated code or poisoning open-source dependencies to achieve stealth. The future defensive focus will pivot towards “verified updates” using cryptographic software bills of materials (SBOMs) and real-time behavioral analysis of update processes themselves. AI will play a dual role: both in powering more convincing social engineering for initial access and in enabling SIEMs to autonomously correlate weak signals across the software supply chain kill chain, moving from IOCs to Indicators of Behavior (IOBs).
▶️ Related Video (80% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Damien D – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


