KTA529
KTA529 is a threat group also known as Lotus Blossom, Spring Dragon, Billbug, and Thrip. Reporting states that between June and December 2025 the group compromised Notepad++ hosting infrastructure, enabling interception/hijacking of Notepad++ update traffic to deliver a previously undocumented backdoor named CHRYSALIS. No additional targeting, geographic attribution, or sub-group structure is provided in the available content.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
1 distinct technique observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
1 malware family attributed to this actor across reporting.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Compromised the Notepad++ hosting/update infrastructure (June–Dec 2025) to hijack update traffic and deliver a previously undocumented backdoor (CHRYSALIS), consistent with a supply-chain/update-channel compromise.
Compromised Notepad++ hosting/update infrastructure to perform a supply-chain style attack, intercepting update traffic to deliver the CHRYSALIS backdoor.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.