Nation-State Actors Exploit Notepad++ Supply Chain

Between June and December 2025, state-sponsored threat group Lotus Blossom compromised the hosting infrastructure for Notepad++, allowing them to intercept and redirect update traffic. This enabled selective targeting of users primarily in Southeast Asian government, telecommunications and critical infrastructure sectors. Two infection chains were identified - one using Lua script injection to deliver Cobalt Strike and another using DLL side-loading for a Chrysalis backdoor. The campaign affected additional sectors across South America, US, Europe and Southeast Asia including cloud hosting, energy, financial, government, manufacturing and software development. The attack exploited insufficient verification in older versions of the Notepad++ updater to serve malicious installers to targeted victims.

Pulse ID: 698d2ac3b38a12b4cb5a2723
Pulse Link: https://otx.alienvault.com/pulse/698d2ac3b38a12b4cb5a2723
Pulse Author: AlienVault
Created: 2026-02-12 01:20:03

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #BackDoor #Cloud #CobaltStrike #CyberSecurity #Europe #Government #InfoSec #LUA #Manufacturing #Notepad #OTX #OpenThreatExchange #RCE #SouthAmerica #SupplyChain #Telecom #Telecommunication #bot #AlienVault

BRICKSTORM-Backdoor: CISA warnt vor neuer Malware-Variante aus China

US-Behörden dokumentieren weiterentwickelte Schadsoftware für Virtualisierungsplattformen

https://www.all-about-security.de/brickstorm-backdoor-cisa-warnt-vor-neuer-malware-variante-aus-china/

#malware #backdoor #cisa

Kerala government considers common guidelines as state bodies push mass regularisation, raising legal, policy and reservation concerns. https://english.mathrubhumi.com/news/kerala/amid-flak-over-politically-driven-regularisation-moves-kerala-govt-seeks-common-guidelines-ty39h2yy?utm_source=dlvr.it&utm_medium=mastodon #backdoor #kerala

Hackers Exploiting Ivanti EPMM Devices to Deploy Dormant Backdoors

Pulse ID: 698b433c5d7c42bba8c22003
Pulse Link: https://otx.alienvault.com/pulse/698b433c5d7c42bba8c22003
Pulse Author: CyberHunter_NL
Created: 2026-02-10 14:39:56

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #InfoSec #Ivanti #OTX #OpenThreatExchange #bot #CyberHunter_NL

Kerala government faces High Court scrutiny over last-minute appointments and new posts before elections. https://english.mathrubhumi.com/news/kerala/kerala-hc-intervenes-over-alleged-backdoor-appointments-in-state-institutions-ahead-of-elections-l3a6wjtz?utm_source=dlvr.it&utm_medium=mastodon #backdoor #kerala

A security alert regarding APT-C-28 (ScarCruft) using MiradorShell to launch a cyberattack.

A recent investigation reveals that the APT-C-28 (ScarCruft) group has expanded its targets to include the cryptocurrency industry. The group employs sophisticated phishing tactics, using LNK files disguised as PDFs to lure victims with investment proposals ranging from $1-3 million. Upon execution, a multi-stage payload deployment occurs, ultimately installing MiradorShell v2.0 to gain system control. The attack chain involves file downloads, decryption, and the creation of scheduled tasks for persistence. MiradorShell, an AutoIt-based backdoor, connects to a command and control server, offering reverse shell capabilities, file management, remote program execution, and victim fingerprinting. The malware employs various evasion techniques, including inline library files and direct API calls.

Pulse ID: 6989b4731b7121e79a9ff3ef
Pulse Link: https://otx.alienvault.com/pulse/6989b4731b7121e79a9ff3ef
Pulse Author: AlienVault
Created: 2026-02-09 10:18:26

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Autoit #BackDoor #CyberAttack #CyberSecurity #ICS #InfoSec #LNK #Malware #OTX #OpenThreatExchange #PDF #Phishing #RAT #ScarCruft #bot #cryptocurrency #AlienVault

Active Exploitation of SolarWinds Web Help Desk (CVE-2025-26399)

Threat actors are actively exploiting a vulnerability in SolarWinds Web Help Desk, targeting organizations using versions prior to 12.8.7 HF1. The attack chain involves deploying Zoho ManageEngine RMM agents, Velociraptor for command and control, and Cloudflare tunnels for persistence. Attackers use encoded PowerShell commands, disable Windows Defender and Firewall, and implement a C2 failover mechanism. They also utilize Elastic Cloud for data exfiltration and QEMU for SSH backdoor persistence. The earliest known instance of this persistence mechanism was observed on January 16, 2026. Organizations are advised to update their SolarWinds Web Help Desk, restrict administrative interface access, reset credentials, and review hosts for unauthorized tools and suspicious activities.

Pulse ID: 6989781e005f12730fe1fc8b
Pulse Link: https://otx.alienvault.com/pulse/6989781e005f12730fe1fc8b
Pulse Author: AlienVault
Created: 2026-02-09 06:01:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Cloud #CyberSecurity #ESET #InfoSec #OTX #OpenThreatExchange #PowerShell #RAT #SSH #SolarWinds #Vulnerability #Windows #bot #AlienVault

The #backdoor #option is at times the most preferable. As always, keep an #openmind to new #oportunities, and how to #meet them.

#door #gate #onethree #wood #Ludwigshafen #Germany

Knife Cutting the Edge: Disclosing a China-nexus gateway-monitoring AitM framework

Cisco Talos uncovered 'DKnife', a sophisticated gateway-monitoring and adversary-in-the-middle (AitM) framework comprising seven Linux-based implants. Used since 2019, DKnife performs deep-packet inspection, traffic manipulation, and malware delivery via routers and edge devices. It targets various devices, including PCs, mobile devices, and IoT, delivering ShadowPad and DarkNimbus backdoors. The framework primarily targets Chinese-speaking users, with evidence suggesting China-nexus threat actors as operators. DKnife's capabilities include DNS hijacking, Android application update hijacking, Windows binary hijacking, anti-virus traffic disruption, and user activity monitoring. A link to the WizardNet campaign was also discovered, indicating a shared development or operational lineage.

Pulse ID: 6984fa9b481e11f8426b9eb0
Pulse Link: https://otx.alienvault.com/pulse/6984fa9b481e11f8426b9eb0
Pulse Author: AlienVault
Created: 2026-02-05 20:16:27

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AdversaryInTheMiddle #AitM #Android #BackDoor #China #Chinese #Cisco #CyberSecurity #DNS #Edge #InfoSec #IoT #Linux #Malware #Nim #OTX #OpenThreatExchange #RAT #ShadowPad #Talos #Windows #bot #AlienVault

@Eichi es heißt #CensirBiit denn daran ist nix sicher, egal ob #BitLocker-#Backdoor oder #GoldenKeyBoot!

The Chrysalis Backdoor: A Deep Dive into Lotus Blossom’s toolkit

Chinese hackers used a previously undocumented custom backdoor to deliver shellcode to victims of a targeted espionage campaign, according to Rapid7 Labs and the Rapid 7 MDR team, who have uncovered a new type of malicious implant.

Pulse ID: 6983154d527ea2bf3aac3649
Pulse Link: https://otx.alienvault.com/pulse/6983154d527ea2bf3aac3649
Pulse Author: CyberHunter_NL
Created: 2026-02-04 09:45:49

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Chinese #CyberSecurity #Espionage #InfoSec #OTX #OpenThreatExchange #Rapid7 #ShellCode #bot #CyberHunter_NL

The Chrysalis Backdoor: A Deep Dive into Lotus Blossom's toolkit

Pulse ID: 6982cbe3f96a38f7a82972eb
Pulse Link: https://otx.alienvault.com/pulse/6982cbe3f96a38f7a82972eb
Pulse Author: Tr1sa111
Created: 2026-02-04 04:32:35

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #InfoSec #OTX #OpenThreatExchange #bot #Tr1sa111

A (fairly technical) look at what happened with #NotepadPlusPlus and huge support to Don « The #Chrysalis #Backdoor : A Deep Dive into Lotus Blossom’s toolkit »

› https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/

#InfoSec

Leveraging of CVE-2026-21509 in Operation Neusploit

A new campaign dubbed Operation Neusploit, attributed to the Russia-linked APT28 group, targets Central and Eastern European countries using specially crafted Microsoft RTF files to exploit CVE-2026-21509. The attack chain involves multi-stage infection, delivering malicious backdoors including MiniDoor, PixyNetLoader, and a Covenant Grunt implant. The campaign employs social engineering lures in multiple languages, server-side evasion techniques, and abuses the Filen API for command-and-control communications. The malware components utilize various persistence mechanisms, steganography, and anti-analysis techniques. The operation showcases APT28's evolving tactics, techniques, and procedures in weaponizing the latest vulnerabilities.

Pulse ID: 698128e65e8a9984e3ff5b7e
Pulse Link: https://otx.alienvault.com/pulse/698128e65e8a9984e3ff5b7e
Pulse Author: AlienVault
Created: 2026-02-02 22:44:54

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APT28 #BackDoor #CyberSecurity #EasternEurope #Europe #ICS #InfoSec #Malware #Microsoft #OTX #OpenThreatExchange #RAT #RTF #Russia #SMS #SocialEngineering #Steganography #bot #AlienVault

The Chrysalis Backdoor: A Deep Dive into Lotus Blossom's toolkit

Rapid7 Labs has uncovered a sophisticated campaign attributed to the Chinese APT group Lotus Blossom, involving a new custom backdoor named Chrysalis. The attack compromised Notepad++ infrastructure to deliver the backdoor. Analysis revealed multiple custom loaders, including one using Microsoft Warbird for obfuscation. The Chrysalis backdoor has extensive capabilities for information gathering, file operations, and remote command execution. Additional artifacts found include Cobalt Strike beacons and Metasploit payloads. The campaign shows Lotus Blossom evolving its tactics, mixing custom and off-the-shelf tools with advanced obfuscation techniques to evade detection.

Pulse ID: 6981aff0acbb318f992ed03e
Pulse Link: https://otx.alienvault.com/pulse/6981aff0acbb318f992ed03e
Pulse Author: AlienVault
Created: 2026-02-03 08:21:04

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Chinese #CobaltStrike #CyberSecurity #ELF #ICS #InfoSec #Microsoft #Notepad #OTX #OpenThreatExchange #RAT #Rapid7 #RemoteCommandExecution #bot #AlienVault

https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/

#NotepadPlusPlus #Chrysalis #Backdoor #Warbird #Cybersecurity #Forensicator #IncidentResponse #LotusBlossom #Security #ForensicAnalysis

#Kaleo #backDoor

@tranquil_cassowary @halotroop2288 here's a good example:

https://www.criminaldefencelawyers.com.au/blog/possessing-dedicated-encrypted-criminal-communication-devices-laws-and-penalties-in-nsw/

And yes, this can and will be weaponized against any non-#Govware - #backdoored #OS & -Device.

• #Microsoft doesn't even hide the fact that they got a #Backdoor in #BitLocker.
• #Apple certainly is both able and willing to unlock #iOS & #macOS devices as they have all the keys and literally snitched on users in the "P.R." #China.
• #Russia literally sues @delta / #deotaChat for neither collecting user data nor providing them with #backdoors.

In fact, #Australia banning #SecureDevices and -#Encryption came just after their #HoneyPot "#ANØM" aka. #OperationIronside aka. #OperationTrøjanShield had to end and they had to bust the users as #Estonia was unwilling to extend the permission to host the infrastructure on it's soil on behalf if #FBI & #AFP!