PowerShell script to check Windows machines for indicators of compromise from the Notepad++ supply chain attack (June - December 2025) attributed to Lotus Blossom APT.
The attack hijacked Notepad++ update infrastructure to deliver the Chrysalis backdoor. Patched in Notepad++ v8.8.9 (December 2025).
# Basic scan
powershell -ExecutionPolicy Bypass -File chrysalis_check.ps1
# Extended scan (also checks Downloads, Temp, ProgramData)
powershell -ExecutionPolicy Bypass -File chrysalis_check.ps1 -DeepHashScan
# Save results to file
powershell -ExecutionPolicy Bypass -File chrysalis_check.ps1 -NoColor > results.txtThe script is read-only and does not modify your system. Exit code 0 = clean, 1+ = alerts found.
Note: This is a quick triage tool that checks for known, published IoCs only. It does not scan memory, detect behavioral patterns, or replace a proper EDR/AV solution. A clean result means none of the known static indicators were found — it does not guarantee your system is uncompromised. If you have reason to believe you were targeted, use a full endpoint security tool and consult your incident response team.
| # | Check | What it looks for |
|---|---|---|
| 1 | Drop directory | %AppData%\Bluetooth (Chrysalis staging folder) |
| 2 | C2 connections (TCP) | Active connections to known C2 IPs |
| 3 | C2 connections (netstat) | Any protocol connections to C2 IPs |
| 4 | DNS cache | Resolved C2 domains |
| 5 | Hosts file | C2 domain entries |
| 6 | Notepad++ version | Installed version below 8.8.9 (vulnerable) |
| 7 | Registry Run keys | Persistence in HKLM/HKCU Run and RunOnce |
| 8 | Scheduled tasks | Persistence via task scheduler |
| 9 | Windows services | Suspicious BluetoothService in AppData |
| 10 | Running processes | BluetoothService, ConsoleApplication2, s047t5g |
| 11 | Malicious filenames | Known filenames in user directories |
| 12 | SHA-256 hash scan | All exe/dll/bat in AppData checked against 16 known hashes |
All indicators sourced from Rapid7 Labs.
| File | SHA-256 | Description |
|---|---|---|
| update.exe | a511be5164dc1122fb5a7daa3eef9467e43d8458425b15a640235796006590c9 |
Malicious NSIS installer delivered via hijacked Notepad++ update |
| [NSIS.nsi] | 8ea8b83645fba6e23d48075a0d3fc73ad2ba515b4536710cda4f1f232718f53e |
Installation script extracted from NSIS installer |
| BluetoothService.exe | 2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924 |
Renamed Bitdefender binary used for DLL sideloading |
| BluetoothService | 77bfea78def679aa1117f569a35e8fd1542df21f7e00e27f192c907e61d63a2e |
Encrypted shellcode blob (Chrysalis payload) |
| log.dll | 3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad |
Malicious DLL sideloaded by BluetoothService.exe |
| u.bat | 9276594e73cda1c69b7d265b3f08dc8fa84bf2d6599086b9acc0bb3745146600 |
Batch script for cleanup/persistence |
| conf.c | f4d829739f2d6ba7e3ede83dad428a0ced1a703ec582fc73a4eee3df3704629a |
Embedded Metasploit shellcode, compiled via TCC at runtime |
| libtcc.dll | 4a52570eeaf9d27722377865df312e295a7a23c3b6eb991944c2ecd707cc9906 |
Tiny C Compiler library used to compile conf.c |
| admin | 831e1ea13a1bd405f5bda2b9d8f2265f7b1db6c668dd2165ccc8a9c4c15ea7dd |
Cobalt Strike beacon from api.wiresguard.com |
| loader1 | 0a9b8df968df41920b6ff07785cbfebe8bda29e6b512c94a3b2a83d10014d2fd |
Intermediate loader |
| uffhxpSy | 4c2ea8193f4a5db63b897a2d3ce127cc5d89687f380b97a1d91e0c8db542e4f8 |
Intermediate loader |
| loader2 | e7cd605568c38bd6e0aba31045e1633205d0598c607a855e2e1bca4cca1c6eda |
Second-stage loader |
| 3yzr31vk | 078a9e5c6c787e5532a7e728720cbafee9021bfec4a30e3c2be110748d7c43c5 |
Second-stage loader |
| ConsoleApplication2.exe | b4169a831292e245ebdffedd5820584d73b129411546e7d3eccf4663d5fc5be3 |
Warbird loader abusing Microsoft Warbird framework |
| system | 7add554a98d3a99b319f2127688356c1283ed073a084805f14e33b4f6a6126fd |
Additional payload |
| s047t5g.exe | fcc2765305bcd213b7558025b2039df2265c3e0b6401e4833123c461df2de51a |
Additional payload |
| Indicator | Type |
|---|---|
95.179.213.0 |
Payload download server |
61.4.102.97 |
C2 IP (api.skycloudcenter.com) |
59.110.7.32 |
Infrastructure IP |
124.222.137.114 |
Infrastructure IP |
api.skycloudcenter.com |
Primary C2 domain (Chrysalis) |
api.wiresguard.com |
Secondary C2 domain (Cobalt Strike) |
| ID | Technique |
|---|---|
| T1204.002 | User Execution: Malicious File |
| T1036 | Masquerading |
| T1027 | Obfuscated Files or Information |
| T1027.007 | Dynamic API Resolution |
| T1140 | Deobfuscate/Decode Files or Information |
| T1574.002 | DLL Side-Loading |
| T1106 | Native API |
| T1055 | Process Injection |
| T1620 | Reflective Code Loading |
| T1059.003 | Windows Command Shell |
| T1083 | File and Directory Discovery |
- Rapid7 — The Chrysalis Backdoor: A Deep Dive into Lotus Blossom's toolkit
- Notepad++ — Hijacked Incident Info Update
- Kaspersky/Securelist — Notepad++ Supply Chain Attack
MIT