Skip to content
Threat Feed

Actor

Lotus Blossom

4 briefs RSS
high threat

TinyCC Masquerading as Svchost for Shellcode Execution

Attackers rename TinyCC (tcc.exe) to svchost.exe and use it to compile and execute C source files containing shellcode, using the `-nostdlib` and `-run` flags, as observed in the Lotus Blossom Chrysalis backdoor campaign, indicating potential evasion and malicious code execution.

Tiny C Compiler Lotus Blossom tinycc shellcode svchost lotus-blossom chrysalis t1059.003 t1027
2r 2t
high threat

Suspicious Bluetooth Service Installation from Uncommon Location

The creation of a Windows service named 'BluetoothService' with a binary path in user-writable directories, such as %AppData%, indicates potential malware persistence, as seen in the Lotus Blossom Chrysalis backdoor campaign.

Windows Lotus Blossom persistence defense-evasion anomaly
2r 2t
high threat

Rundll32 Execution with Log.DLL

Detects the execution of rundll32 with 'log.dll' as a command-line argument, indicative of Lotus Blossom Chrysalis backdoor activity and DLL sideloading attempts.

Windows +1 Lotus Blossom rundll32 dll-sideloading lotus-blossom chrysalis-backdoor
2r 1t
high threat

Bitdefender Submission Wizard DLL Sideloading

Detection of potential DLL side-loading of Bitdefender Submission Wizard (BDSubmit.exe, bdsw.exe, or renamed BluetoothService.exe) via loading a malicious log.dll from a non-standard path.

Bitdefender Submission Wizard Lotus Blossom dll-sideloading persistence privilege-escalation lotus-blossom sysmon
2r 2t