Chrysalis Backdoor: What You Need to Know — and How Progress Flowmon Threat Briefing Helps You Stay Ahead

A newly analyzed threat, Chrysalis, is a sophisticated backdoor attributed to the Chinese APT group Lotus Blossom. The malware employs advanced evasion techniques including heavy obfuscation, API hashing, dynamic DNS resolution, custom encryption and stealthy C2 communication disguised as legitimate traffic. Once active, Chrysalis enables extensive malicious actions such as system reconnaissance, data theft, command execution, file transfer, interactive shell access, process manipulation and even self‑removal. In several cases, infected systems also showed chained delivery of Metasploit and Cobalt Strike payloads, adding further stealth and code‑protection layers.

How the Attack Happened

Attackers abused the Notepad++ software distribution infrastructure as part of a supply‑chain compromise, delivering malicious update files to unsuspecting users. The malware leveraged DLL sideloading, placing tampered DLLs next to renamed legitimate executables to gain execution and persistence. The root cause was insufficient validation of software updates, such as missing or incomplete code‑signing and integrity checks—weaknesses that enabled silent, long‑term compromise without triggering standard defenses.

Detection Delivered via Threat Briefing — with Actionable Mitigation

This Chrysalis report is delivered through our Threat Briefing (TB) feature. Introduced in Progress Flowmon ADS 12.5 version, Threat Briefings combine:

• AI‑generated threat intelligence: Our system ingests global threat signals and synthesizes them into clear, structured insights.
• Security‑expert curation: Every briefing is reviewed and refined by analysts to ensure accuracy, relevance and actionable value.
• Automated detection: Threat Briefings enable automatic detection of related activity in your environment from the moment the briefing is published. This means Chrysalis‑related indicators and behaviors are recognized immediately by the Flowmon ADS detection engines.
• Actionable mitigation recommendations: Action-oriented recommendations are designed to support faster investigation and remediation — reducing effort for security teams and improving response efficiency.

The benefit is simple: You spend less time researching and more time responding effectively.

Check Past Exposure with Retrospective Analysis

From the moment a Threat Briefing is published, automatic detection becomes available to identify Chrysalis‑related activity in real time.

In addition, you can run retrospective analysis using the Indicators of Compromise (IoCs) from the briefing against your historical telemetry data. This allows you to quickly determine whether your environment was exposed before the briefing existed.

Having evidence of historical exposure is especially valuable from a compliance and audit perspective: it provides a verifiable trail showing whether—and when—affected systems were impacted, helping organizations demonstrate due diligence, support incident‑reporting requirements and document their response posture clearly and transparently.

Would you like to try Threat Briefing feature in your environment? Request Free Trial.