splunk · MHaggis · Mar 12, 2026 · Mar 12, 2026 · Mar 12, 2026 · Mar 12, 2026
@@ -45,6 +45,7 @@ tags:
         - Interlock Ransomware
         - LAMEHUG
         - NetSupport RMM Tool Abuse
+        - Lotus Blossom Chrysalis Backdoor
     asset_type: Windows
     mitre_attack_id:
         - T1082

@@ -62,6 +62,7 @@ tags:
         - CISA AA23-347A
         - PHP-CGI RCE Attack on Japanese Organizations
         - LAMEHUG
+        - Lotus Blossom Chrysalis Backdoor
     asset_type: Endpoint
     mitre_attack_id:
         - T1033

@@ -0,0 +1,69 @@
+name: Windows Bitdefender Submission Wizard DLL Sideloading
+id: f9593331-804c-4268-8b4c-2693c5ae786c
+version: 2
+date: '2026-02-02'
+author: Michael Haag, Splunk
+status: production
+type: TTP
+description: |
+    Detects execution of rundll32 loading log.dll, as used in the Lotus Blossom Chrysalis backdoor campaign. Attackers placed a malicious log.dll in %AppData%\Bluetooth and invoked it via rundll32.exe log.dll,LogInit to decrypt and execute shellcode. The legitimate Bitdefender Submission Wizard (BDSubmit.exe, bdsw.exe) also uses log.dll; this detection focuses on the process-creation pattern (rundll32 with log.dll in command line) which is easier to deploy and test with EventID 1 and the Endpoint data model.
+data_source:
+    - Sysmon EventID 1
+search: |
+    | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime
+      from datamodel=Endpoint.Processes
+      where `process_rundll32` AND Processes.process=*log.dll*
+      by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
+    | `drop_dm_object_name(Processes)`
+    | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`
+    | `windows_bitdefender_submission_wizard_dll_sideloading_filter`
+how_to_implement: |
+    Ingest process creation logs (Sysmon EventID 1 or equivalent) and map them to the Endpoint.Processes data model. Ensure command-line arguments are captured so that "log.dll" appears in the process field. The Splunk Add-on for Microsoft Sysmon and CIM are required.
+known_false_positives: |
+    Legitimate use of rundll32 to load log.dll from trusted locations may trigger this. Allowlist known paths or parent processes as needed.
+references:
+    - https://attack.mitre.org/techniques/T1574/002/
+    - https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
+    - https://attack.mitre.org/groups/G0065/
+drilldown_searches:
+    - name: View the detection results for - "$dest$" and "$user$"
+      search: '%original_detection_search% | search dest = "$dest$" user = "$user$"'
+      earliest_offset: $info_min_time$
+      latest_offset: $info_max_time$
+    - name: View risk events for the last 7 days for - "$dest$" and "$user$"
+      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+      earliest_offset: $info_min_time$
+      latest_offset: $info_max_time$
+rba:
+    message: Rundll32 loaded log.dll on $dest$ by user $user$, indicating potential Lotus Blossom-style DLL abuse
+    risk_objects:
+        - field: dest
+          type: system
+          score: 85
+        - field: user
+          type: user
+          score: 85
+    threat_objects:
+        - field: process_name
+          type: process_name
+        - field: process
+          type: command
+tags:
+    analytic_story:
+        - Lotus Blossom Chrysalis Backdoor
+    asset_type: Endpoint
+    mitre_attack_id:
+        - T1574
+    product:
+        - Splunk Enterprise
+        - Splunk Enterprise Security
+        - Splunk Cloud
+    security_domain: endpoint
+    cve: []
+tests:
+    - name: True Positive Test
+      attack_data:
+        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.002/lotus_blossom_chrysalis/windows-sysmon.log
+          sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+          source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
@@ -0,0 +1,77 @@
+name: Windows BluetoothService Persistence
+id: f12b81e6-2fa2-48e0-95cd-f5f7e4d9ac89
+version: 1
+date: '2026-02-02'
+author: Michael Haag, Splunk
+status: production
+type: TTP
+description: |
+    Identifies the creation of a Windows service named "BluetoothService" with a binary path in user-writable directories, particularly %AppData%\Bluetooth. This technique was observed in the Lotus Blossom Chrysalis backdoor campaign, where attackers created a service named "BluetoothService" pointing to a malicious binary (renamed Bitdefender Submission Wizard) in a hidden AppData directory.
+    While legitimate Bluetooth services exist in Windows, they are system services with binaries in System32. Any BluetoothService created with a binary path in user directories (AppData, Temp, Downloads) is highly suspicious and indicates potential malware persistence.
+data_source:
+    - Windows Event Log System 7045
+search: |
+    `wineventlog_system` EventCode=7045
+    ServiceName IN ("BluetoothService", "Bluetooth Service")
+    ImagePath IN ("*\\AppData\\*", "*\\Users\\*\\Bluetooth\\*", "*\\Temp\\*", "*\\ProgramData\\*")
+    NOT ImagePath IN ("*\\Windows\\System32\\*", "*\\Windows\\SysWOW64\\*", "*\\Program Files*")
+    | stats count min(_time) as firstTime max(_time) as lastTime
+      by Computer, ServiceName, ImagePath, ServiceType, StartType, UserID
+    | rename Computer as dest, UserID as user_id
+    | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`
+    | `windows_bluetoothservice_persistence_filter`
+how_to_implement: |
+    To successfully implement this search, you need to be ingesting Windows System Event Logs (Event ID 7045) from your Windows endpoints. Event ID 7045 logs service installation events and includes the service name, binary path, service type, and start type.
+
+    Ensure Windows Event Log forwarding is configured to send System logs to Splunk, or use a Windows Event Log collection agent. The Splunk Add-on for Microsoft Windows is required to properly parse these events.
+known_false_positives: |
+    Legitimate Bluetooth services in Windows are system services located in System32. Any BluetoothService created outside of system directories is highly suspicious. However, false positives may occur if:
+
+    1. Third-party Bluetooth software installs services in Program Files (excluded by this detection)
+    2. Development or testing environments create test services
+
+    The detection specifically targets user-writable directories (AppData, Temp) which are strong indicators of malicious activity. Allowlist known-good third-party Bluetooth software installation paths if needed.
+references:
+    - https://attack.mitre.org/techniques/T1543/003/
+    - https://attack.mitre.org/techniques/T1036/
+    - https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
+drilldown_searches:
+    - name: View the detection results for - "$dest$"
+      search: '%original_detection_search% | search  dest = "$dest$"'
+      earliest_offset: $info_min_time$
+      latest_offset: $info_max_time$
+    - name: View risk events for the last 7 days for - "$dest$"
+      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+      earliest_offset: $info_min_time$
+      latest_offset: $info_max_time$
+rba:
+    message: Suspicious BluetoothService created on $dest$ with binary path $ImagePath$ in user-writable directory, indicating potential malware persistence
+    risk_objects:
+        - field: dest
+          type: system
+          score: 75
+    threat_objects:
+        - field: ServiceName
+          type: service
+        - field: ImagePath
+          type: file_path
+tags:
+    analytic_story:
+        - Lotus Blossom Chrysalis Backdoor
+    asset_type: Endpoint
+    mitre_attack_id:
+        - T1543.003
+        - T1036
+    product:
+        - Splunk Enterprise
+        - Splunk Enterprise Security
+        - Splunk Cloud
+    security_domain: endpoint
+    cve: []
+tests:
+    - name: True Positive Test
+      attack_data:
+        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lotus_blossom_chrysalis/windows-system.log
+          sourcetype: XmlWinEventLog:System
+          source: XmlWinEventLog:System
@@ -0,0 +1,55 @@
+name: Windows Sysmon Bitdefender Submission Wizard DLL Sideloading
+id: a1b2c3d4-e5f6-4789-a012-3456789abcde
+version: 1
+date: '2026-02-02'
+author: Michael Haag, Splunk
+status: experimental
+type: TTP
+description: |
+    Detects DLL side-loading of Bitdefender Submission Wizard (BDSubmit.exe, bdsw.exe, or renamed BluetoothService.exe) when a malicious log.dll is loaded from a non-standard path via Sysmon ImageLoad events. Same Lotus Blossom Chrysalis technique as the process-creation detection but uses ImageLoad for higher precision. Marked experimental because it requires Sysmon ImageLoad and test datasets may only include process creation.
+data_source:
+    - Sysmon EventID 7
+search: '`sysmon` EventCode=7 (Image IN ("*\\\\BDSubmit.exe", "*\\\\bdsw.exe", "*\\\\BluetoothService.exe") OR OriginalFileName IN ("BDSubmit.exe", "bdsw.exe")) ImageLoaded="*\\\\log.dll" NOT (ImageLoaded IN ("*\\\\System32\\\\*", "*\\\\SysWOW64\\\\*", "*\\\\Program Files*", "*\\\\Program Files (x86)*")) | stats count min(_time) as firstTime max(_time) as lastTime by dest, Image, ImageLoaded, Signed, SignatureStatus, User, OriginalFileName, loaded_file, loaded_file_path, process_exec, process_guid, process_hash, process_id, process_name, process_path, service_dll_signature_exists, service_dll_signature_verified, signature, signature_id, user_id, vendor_product | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_sysmon_bitdefender_submission_wizard_dll_sideloading_filter`'
+how_to_implement: |
+    Ingest Sysmon ImageLoad events and ensure the Splunk Add-on for Sysmon is configured to parse them. Enable ImageLoad in Sysmon config for DLLs. Map logs to Endpoint data model where applicable.
+known_false_positives: |
+    Legitimate Bitdefender installations loading log.dll from Program Files are excluded. Allowlist known paths as needed.
+references:
+    - https://attack.mitre.org/techniques/T1574/002/
+    - https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
+    - https://attack.mitre.org/groups/G0065/
+drilldown_searches:
+    - name: View the detection results for - "$dest$" and "$User$"
+      search: '%original_detection_search% | search dest = "$dest$" User = "$User$"'
+      earliest_offset: $info_min_time$
+      latest_offset: $info_max_time$
+    - name: View risk events for the last 7 days for - "$dest$" and "$User$"
+      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$User$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+      earliest_offset: $info_min_time$
+      latest_offset: $info_max_time$
+rba:
+    message: Bitdefender Submission Wizard loaded log.dll from a non-standard path on $dest$ by user $User$, indicating DLL side-loading
+    risk_objects:
+        - field: dest
+          type: system
+          score: 85
+        - field: User
+          type: user
+          score: 85
+    threat_objects:
+        - field: Image
+          type: process_name
+        - field: ImageLoaded
+          type: file_name
+tags:
+    analytic_story:
+        - Lotus Blossom Chrysalis Backdoor
+    asset_type: Endpoint
+    mitre_attack_id:
+        - T1574
+    product:
+        - Splunk Enterprise
+        - Splunk Enterprise Security
+        - Splunk Cloud
+    security_domain: endpoint
+    cve: []
@@ -0,0 +1,87 @@
+name: Windows TinyCC Shellcode Execution
+id: fdb6774e-e465-4912-86e3-63cf9ab91491
+version: 1
+date: '2026-02-02'
+author: Michael Haag, Splunk
+status: production
+type: TTP
+description: |
+    Detects abuse of Tiny-C-Compiler (TinyCC) for shellcode execution, where tcc.exe is renamed to masquerade as svchost.exe and used to compile and execute C source files containing shellcode. This technique was observed in the Lotus Blossom Chrysalis backdoor campaign, where attackers renamed tcc.exe to svchost.exe and executed conf.c containing Metasploit block_api shellcode with the flags -nostdlib -run.
+    TinyCC is a legitimate C compiler, but its ability to compile and execute code on-the-fly makes it attractive to attackers seeking to evade detection. The combination of a renamed compiler binary executing from non-standard locations with suspicious flags is a strong indicator of malicious activity.
+data_source:
+    - Sysmon EventID 1
+    - Windows Event Log Security 4688
+search: |
+    | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime
+      from datamodel=Endpoint.Processes
+      where (Processes.process_name="svchost.exe" OR Processes.process_name="tcc.exe")
+        AND (Processes.process="* -nostdlib*" AND Processes.process="* -run*")
+        AND (Processes.process="*.c" OR Processes.process="*conf.c*")
+        AND NOT Processes.process_path IN ("*\\Windows\\System32\\*", "*\\Windows\\SysWOW64\\*")
+      by Processes.action Processes.dest Processes.user Processes.process Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
+         Processes.process_name Processes.process_id Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_integrity_level Processes.process_path Processes.original_file_name Processes.user_id Processes.vendor_product
+    | `drop_dm_object_name(Processes)`
+    | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`
+    | `windows_tinycc_shellcode_execution_filter`
+how_to_implement: |
+    To successfully implement this search, you need to be ingesting logs with process creation information from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA and have enabled EventCode 1 (Process Create). Ensure that command-line arguments are being captured in your Sysmon configuration.
+
+    The detection relies on the OriginalFileName field being populated to distinguish between legitimate svchost.exe and renamed tcc.exe binaries. Ensure Sysmon is configured to capture full command-line arguments.
+known_false_positives: |
+    Legitimate TinyCC usage by developers may trigger this detection if executed from non-standard locations. However, the combination of:
+    1. Renamed binary (svchost.exe with tcc.exe OriginalFileName)
+    2. Execution from user-writable directories (AppData, Temp, ProgramData)
+    3. Suspicious flags (-nostdlib -run) with .c file execution
+
+    is highly suspicious and warrants investigation. Legitimate TinyCC usage typically occurs from Program Files or developer directories with standard compilation workflows.
+
+    Allowlist known development environments if needed.
+references:
+    - https://attack.mitre.org/techniques/T1059/003/
+    - https://attack.mitre.org/techniques/T1027/
+    - https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
+    - https://github.com/phoenixthrush/Tiny-C-Compiler
+drilldown_searches:
+    - name: View the detection results for - "$dest$" and "$user$"
+      search: '%original_detection_search% | search  dest = "$dest$" user = "$user$"'
+      earliest_offset: $info_min_time$
+      latest_offset: $info_max_time$
+    - name: View risk events for the last 7 days for - "$dest$" and "$user$"
+      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+      earliest_offset: $info_min_time$
+      latest_offset: $info_max_time$
+rba:
+    message: TinyCC compiler abuse detected on $dest$ by user $user$ executing shellcode from $process_path$, indicating potential malicious code execution
+    risk_objects:
+        - field: dest
+          type: system
+          score: 80
+        - field: user
+          type: user
+          score: 80
+    threat_objects:
+        - field: process_name
+          type: process_name
+        - field: process_path
+          type: file_path
+tags:
+    analytic_story:
+        - Lotus Blossom Chrysalis Backdoor
+    asset_type: Endpoint
+    mitre_attack_id:
+        - T1059.003
+        - T1027
+        - T1036
+    product:
+        - Splunk Enterprise
+        - Splunk Enterprise Security
+        - Splunk Cloud
+    security_domain: endpoint
+    cve: []
+tests:
+    - name: True Positive Test
+      attack_data:
+        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.005/lotus_blossom_chrysalis/windows-sysmon.log
+          sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+          source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
@@ -54,6 +54,7 @@ rba:
 tags:
     analytic_story:
         - LAMEHUG
+        - Lotus Blossom Chrysalis Backdoor
     asset_type: Endpoint
     mitre_attack_id:
         - T1082