You must log in or # to comment.
He added a link to a deep dive for the backdoor used in the attack.
https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
I’m so confused.
- It doesn’t say anything about “state-sponsored attackers” outside of the headline? What state? Why?
- Why is a Notepad app connecting to any servers or have credentials at all?
deleted by creator
It wasn’t specifically notepad++ code, but a custom-written updater. That’s why it was connecting to the internet.
I mean, it is n++ code because the updater is part of the code base. They just didn’t have the connection to the update server hardened.
This was patched in like December, though.
