A YARA rule to detect known samples by SHA-256 of the Chrysalis Backdoor (by Chinese APT Lotus Blossom) in the Notepad++ Hijack

APT_Lotus_Blossom_Chrysalis_Backdoor.yar

import "hash"

rule NotepadPlusPlus_Hijack_Chrysalis_Known_Hashes
{
    meta:
        description = "Detects known samples by SHA-256 of the Chrysalis Backdoor (by Chinese APT Lotus Blossom) in the Notepad++ Hijack"
        author = "Krypton (@kkrypt0nn)"
        date = "2026-02-02"
        updated = "2026-02-05"
        source = "https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/,https://securelist.com/notepad-supply-chain-attack/118708/,https://notepad-plus-plus.org/assets/data/IoCFromFormerHostingProvider.txt"

    condition:
        hash.sha256(0, filesize) == "a511be5164dc1122fb5a7daa3eef9467e43d8458425b15a640235796006590c9" or // update.exe
        hash.sha256(0, filesize) == "36c98c18215a244e501673d9f01fa093d1906d08a7ad9927905f8f004640e4e1" or // updater_1.exe
        hash.sha256(0, filesize) == "51266007c039ab80dbe9a2c38ed75759d954458d8864a0429c71e87be2bddce2" or // updater_2.exe
        hash.sha256(0, filesize) == "69caa18ec5e86cf3a7376f3a9a08d118cbade608432dc262ba6c7fe692da7d33" or // updater_3.exe
        hash.sha256(0, filesize) == "a3cf1c86731703043b3614e085b9c8c224d4125370f420ad031ad63c14d6c3ec" or // updater_4.exe
        hash.sha256(0, filesize) == "798fd7c2a2d4f0865aec808962489b39f995961e38e2bebda8f84ddc5a935d86" or // updater_5.exe
        hash.sha256(0, filesize) == "4d4aec6120290e21778c1b14c94aa6ebff3b0816fb6798495dc2eae165db4566" or // updater_6.exe
        hash.sha256(0, filesize) == "8ea8b83645fba6e23d48075a0d3fc73ad2ba515b4536710cda4f1f232718f53e" or // NSIS.nsi
        hash.sha256(0, filesize) == "2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924" or // BluetoothService.exe, legitimate executable used for DLL sideloading
        hash.sha256(0, filesize) == "77bfea78def679aa1117f569a35e8fd1542df21f7e00e27f192c907e61d63a2e" or // BluetoothService
        hash.sha256(0, filesize) == "3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad" or // log.dll
        hash.sha256(0, filesize) == "9276594e73cda1c69b7d265b3f08dc8fa84bf2d6599086b9acc0bb3745146600" or // u.bat
        hash.sha256(0, filesize) == "f4d829739f2d6ba7e3ede83dad428a0ced1a703ec582fc73a4eee3df3704629a" or // conf.c
        hash.sha256(0, filesize) == "4a52570eeaf9d27722377865df312e295a7a23c3b6eb991944c2ecd707cc9906" or // libtcc.dll
        hash.sha256(0, filesize) == "831e1ea13a1bd405f5bda2b9d8f2265f7b1db6c668dd2165ccc8a9c4c15ea7dd" or // admin
        hash.sha256(0, filesize) == "0a9b8df968df41920b6ff07785cbfebe8bda29e6b512c94a3b2a83d10014d2fd" or // loader1
        hash.sha256(0, filesize) == "e7cd605568c38bd6e0aba31045e1633205d0598c607a855e2e1bca4cca1c6eda" or // loader2
        hash.sha256(0, filesize) == "c7cc87ef3829a33b7f178d88a71ba548c37020005b09d16a76fcd356621335e6" or // load_1
        hash.sha256(0, filesize) == "26256ea1a345b788dd303f5621b5028cf572b733793039c8ee1e5c481113bd09" or // load_2
        hash.sha256(0, filesize) == "4c2ea8193f4a5db63b897a2d3ce127cc5d89687f380b97a1d91e0c8db542e4f8" or // uffhxpSy
        hash.sha256(0, filesize) == "078a9e5c6c787e5532a7e728720cbafee9021bfec4a30e3c2be110748d7c43c5" or // 3yzr31vk
        hash.sha256(0, filesize) == "b4169a831292e245ebdffedd5820584d73b129411546e7d3eccf4663d5fc5be3" or // ConsoleApplication2.exe
        hash.sha256(0, filesize) == "7add554a98d3a99b319f2127688356c1283ed073a084805f14e33b4f6a6126fd" or // system
        hash.sha256(0, filesize) == "fcc2765305bcd213b7558025b2039df2265c3e0b6401e4833123c461df2de51a" or // s047t5g.exe
        hash.sha256(0, filesize) == "8553557bcdba966b30066aabde974223413a1720da31a616ff52240746a8c6da" or // alien_1.ini
        hash.sha256(0, filesize) == "8e7a15c402b4f34b57185e07718cd6511a39a66045792174d21d832d17db2204" or // alien_2.ini
        hash.sha256(0, filesize) == "f5340ac6ca5cc3ee60d8ffb169bf433aa89fab13a5fa13adabd44ac405c0f731" or // alien_3.ini
        hash.sha256(0, filesize) == "02368c6b62cb392dddd35cfc6cb8c1154f7ebdceb9fb559cefc301982d6fbbf9" or // .in.compat1.php
        hash.sha256(0, filesize) == "0dcd846cdfdc793fab39a3c9860e0f6ab68cdbdcf4b03a87e8a02df0d3e1249f" or // index1.php
        hash.sha256(0, filesize) == "5dd766a7a378c97eb8c9fe9a4bff678e3c9a05386911f4296e094407b99c23d2" or // index.php
        hash.sha256(0, filesize) == "6a7a8aa91109c25d57fe2ca71c150ca09afc1bf10c98376adf959dbc91010394"  // suo5.php
}

syntax error, unexpected , expecting '}'

Yara 4.5.2 on Debian / 4.5.5 on Win11

syntax error, unexpected , expecting '}'

Yara 4.5.2 on Debian / 4.5.5 on Win11

Apologies for the mistake, I first had

hash.sha256(0, filesize) == "a511be5164dc1122fb5a7daa3eef9467e43d8458425b15a640235796006590c9" or
....

for every hash, then read about in and thought I tested it...

I've updated the Gist as well as the repository which contains updated data as well, completely forgot I had that Gist setup -> https://github.com/kkrypt0nn/yara-rules/blob/main/rules/malware/APT_Lotus_Blossom_Chrysalis_Backdoor.yar