CybserSecurity News

Tag: Rapid7

  • Surgical Espionage: The “Chrysalis” Backdoor and the 6-Month Hijack of Notepad++

    Cybersecurity researchers persist in their investigation of a sophisticated incursion targeting the ubiquitous text editor Notepad++, which remained undetected for nearly half a year—from June through December 2025. By compromising the hosting provider for notepad-plus-plus.org, adversaries gained the leverage to intercept software update solicitations. Consequently, users were served deleterious binaries in lieu of authentic installers; these executed without provocation due to the absence of rigorous digital signature verification in legacy iterations of the editor.

    The Rapid7 collective has asserted, with a “moderate degree of confidence,” that the breach is attributable to the Chinese threat actor Lotus Blossom, also recognized by the aliases Lotus Panda and Billbug. This entity typically orchestrates surgical espionage campaigns against organizations in Southeast Asia and, more recently, Central America, focusing its scrutiny on governmental bodies, telecommunications, aviation, critical infrastructure, and the media sector.

    According to specialists, the hackers weaponized the compromised Notepad++ update mechanism to disseminate a previously undocumented backdoor dubbed Chrysalis. Upon ingress, they architected a trojanized update in the form of an NSIS installer—a format frequently favored by Chinese adversarial groups for the delivery of malicious payloads.

    The installer harbored an executable titled BluetoothService.exe, which was, in reality, a repurposed legitimate utility known as the Bitdefender Submission Wizard. This was employed to facilitate DLL side-loading, a preferred technique among Chinese cyber-espionage operatives. Additionally, the installer contained a file named BluetoothService, housing encrypted shellcode, alongside a nefarious DLL library.

    The shellcode constitutes the Chrysalis backdoor itself. Rapid7 posits that its expansive functional repertoire suggests a highly advanced, persistent instrument rather than a rudimentary, ephemeral utility. The malware leverages legitimate executables to load malicious libraries disguised with innocuous nomenclature, thereby evading detection by superficial file-name-based security tools. Furthermore, it employs specialized API hashing within both the loader and the primary module, multiple strata of obfuscation, and a meticulously structured protocol for communication with command-and-control (C2) servers.

    At the time of disclosure, Rapid7 lacked definitive data regarding the precise number of victims who inadvertently retrieved the Chrysalis malware. Nevertheless, researchers have promulgated an exhaustive catalog of file-based and network-centric indicators of compromise (IoCs).

    The attribution to Lotus Blossom is predicated primarily on the tactical congruencies observed in prior Symantec research. Specifically, the adversaries utilized the renamed Bitdefender Submission Wizard to load log.dll, tasked with decrypting and executing auxiliary malicious payloads. Moreover, the striking similarities in the execution chain and the identical public key extracted from Cobalt Strike beacons further implicate Lotus Blossom in this coordinated campaign.

  • Naughty List: SantaStealer Malware Unwrapped—The “New” Holiday Threat is Just Rebranded Code

    In the run-up to the New Year holidays, underground marketplaces often see a surge of freshly minted data-stealing tools, and this time SantaStealer is being aggressively promoted across Telegram channels and hacker forums. It is advertised as a memory-resident piece of malware designed to evade security defenses, yet early analyses suggest that reality falls short of the marketing claims.

    According to Rapid7, SantaStealer appears to be little more than a rebranding of the BluelineStealer project, with its developer rushing to push a release before year’s end. As the report notes, leaked samples contain numerous analytical breadcrumbs—including readable strings and symbol names—indicating poor operational discipline and undermining any serious attempt at stealth. The swift and reliable evasion touted in promotional materials was not observed in the variants examined by Rapid7.

    Access to the affiliate panel suggests that “customers” can generate builds with varying depths of data theft, ranging from a generic configuration to profiles tailored for specific data types. Internally, SantaStealer employs 14 collection modules running in parallel: harvested data is written to memory, compressed into ZIP archives, and exfiltrated in 10-MB chunks to a designated command server via port 6767.

    Its targets are typical for this malware class: browser passwords, cookies, browsing history, stored payment cards, data from Telegram, Discord, and Steam, cryptocurrency wallet applications and extensions, as well as documents. Desktop screenshots are also supported.

    The report further highlights that the stealer leverages a built-in executable component to bypass Chrome’s App-Bound Encryption, introduced in July 2024 and already under attack by other active stealers. Configuration options also include excluding systems located in CIS countries and introducing a delayed execution phase to confuse victims with a period of apparent inactivity.

    No large-scale distribution of SantaStealer has yet been observed, leaving its delivery mechanisms uncertain. Rapid7 considers scenarios involving ClickFix—where victims are persuaded to paste malicious commands into the Windows terminal—as well as more traditional vectors such as phishing campaigns, pirated software, torrents, malvertising, and deceptive YouTube comments.

    As basic defensive measures, Rapid7 advises scrutinizing links and attachments from unexpected emails and avoiding the execution of unverified code from public repositories when installing extensions.

  • PoC Released for Unpatch OnePlus Flaw: Any App Can Read Your SMS Messages

    A critical vulnerability, CVE-2025-10184, has been identified in the OxygenOS operating system used on OnePlus smartphones, allowing any application on the device to read the contents of SMS messages and related metadata without requesting permissions. The flaw was discovered by Rapid7 researchers, who reported that the issue affects all system versions from OxygenOS 12 through the current OxygenOS 15. Despite repeated notifications, the manufacturer has yet to issue a patch, and initial reports from researchers went unanswered.

    The root cause lies in OnePlus’s modification of the standard Android Telephony package, where the company introduced new exported providers—PushMessageProvider, PushShopProvider, and ServiceNumberProvider. These providers lack explicit permission requirements for the READ_SMS operation in their manifests, enabling unrestricted data access to any installed application.

    The situation is further exacerbated by the absence of input request filtering, creating an opportunity for so-called blind SQL injection, which allows attackers to reconstruct message content line by line from the device’s database. Rapid7 demonstrated a proof-of-concept confirming that SMS data could be extracted under certain conditions, including the presence of specific strings in the database and the availability of insert operations.

    The vulnerability was tested on the OnePlus 8T and OnePlus 10 Pro, with results showing that the flaw is not hardware-dependent and affects all OnePlus smartphones running the vulnerable versions of OxygenOS. Between May and August 2025, Rapid7 attempted to contact the company seven times without receiving a response. Only after the public disclosure did OnePlus announce the initiation of an internal review, though it has not provided a timeline for a fix.

    Until a security update is released, users are advised to minimize the number of installed applications, install software only from trusted developers, and avoid SMS-based authentication in favor of one-time code generators. For transmitting sensitive information, it is safer to rely on end-to-end encrypted messaging services, as SMS on OnePlus devices are not adequately isolated.

  • Urgent Printer Alert: Critical Flaw (CVE-2024-51978, CVSS 9.8) Exposes Brother & Other Printers to Remote Takeover

    Experts at Rapid7 have disclosed a critical vulnerability affecting 689 Brother printer models and 53 models from other manufacturers, including Fujifilm, Toshiba, and Konica Minolta. The flaw lies in a predictable algorithm used to generate administrator passwords—an issue that cannot be fully resolved on already released devices through firmware updates.

    Designated as CVE-2024-51978, the vulnerability has been assigned a severity score of 9.8 on the CVSS scale. It enables threat actors to deduce the default administrative password and gain full control over the device. According to researchers, the weakness stems from an insecure algorithm implemented during the manufacturing process.

    The technical breakdown reveals that the password is generated by extracting the first 16 characters of the device’s serial number, appending eight bytes from a static value table, and hashing the result using SHA-256. The hash is then Base64-encoded, and the first eight characters of the encoded string—some of which are substituted with special characters—form the final password. This process, specialists warn, is easily reversible, rendering the protection mechanism dangerously fragile.

    Additionally, researchers uncovered seven more vulnerabilities affecting Brother and other printers, including information leaks, stack overflows, forced TCP connections, and potential device crashes. Some of these issues can be exploited without prior authentication.

    The full list of vulnerabilities includes:

    • CVE-2024-51977 – Information disclosure (CVSS 5.3)
    • CVE-2024-51978 – Critical flaw with predictable admin passwords (CVSS 9.8)
    • CVE-2024-51979 – Stack overflow via authenticated access (CVSS 7.2)
    • CVE-2024-51980 & CVE-2024-51981 – Forced TCP connection or arbitrary HTTP request (CVSS 5.3 each)
    • CVE-2024-51982 & CVE-2024-51983 – Potential device crash (CVSS 7.5 each)
    • CVE-2024-51984 – External service password disclosure (CVSS 6.8)

    When combined, these vulnerabilities could allow attackers not only to gain administrative access, but also to alter device settings, exfiltrate data, execute remote code, disable equipment, or pivot further into the target network.

    Rapid7’s findings indicate that the critical flaw CVE-2024-51978 affects not only Brother devices but also dozens of models from other manufacturers: 46 from Fujifilm, six from Konica Minolta, five from Ricoh, and two from Toshiba. However, the presence of all eight vulnerabilities varies by model.

    Brother has acknowledged the issue, stating that CVE-2024-51978 cannot be fully addressed through software updates alone. A permanent fix would require alterations in the hardware manufacturing process. Consequently, already distributed printers remain vulnerable unless users manually change the default password.

    The disclosure process began in May 2024. With the assistance of Japan’s coordination center JPCERT/CC, Rapid7 informed the vendors and supported the release of patches. Nevertheless, the fundamental flaw of predictable passwords remains unfixable in existing units.

    Owners of affected printer models are strongly advised to change the default administrative password immediately and install all available firmware updates. Furthermore, access to administrative interfaces should be restricted from external and unsecured networks.

    Official websites for Brother, Konica Minolta, Fujifilm, Ricoh, and Toshiba now provide guidance and updates aimed at mitigating exploitation risks.

  • Rapid7 acquires the open source project Velociraptor

    Rapid7, a provider of security risk information solutions, announced the acquisition of Velociraptor, a project for endpoint monitoring, digital forensics, and incident response. After the completion of the acquisition, Rapid7 will continue to develop the Velociraptor community and intends to use its technology and insights to enhance Rapid7’s incident response capabilities. The specific transaction amount has not been disclosed yet.

    Rapid7 acquires Velociraptor

    Rapid7 stated that Velociraptor was developed for digital forensics and incident response (DFIR) professionals who needed a powerful and effective way to search for and monitor malicious activity across the endpoint. Velociraptor’s community-driven approach allows the collective wisdom of the DFIR community to gather in one place for others to use. Velociraptor is unique in that it allows custom detection, collection, and analysis functions to be written in queries instead of code. These queries can be easily shared, strengthen the knowledge of the community, and allow the team to find new threats faster.

    Richard Perkett, senior vice president of Rapid7’s detection and response department, said that since the acquisition of Metasploit in 2009, the company has been supporting open source projects. It firmly believes that cooperation with the open-source community is one of the most important ways to advance the security industry and make the digital world a safer place for everyone.