Notepad Chrysalis Backdoor File Hash IO Cs
Query
// Reference: https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
let FileHashes = dynamic(["a511be5164dc1122fb5a7daa3eef9467e43d8458425b15a640235796006590c9", "8ea8b83645fba6e23d48075a0d3fc73ad2ba515b4536710cda4f1f232718f53e","2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924","77bfea78def679aa1117f569a35e8fd1542df21f7e00e27f192c907e61d63a2e","3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad","9276594e73cda1c69b7d265b3f08dc8fa84bf2d6599086b9acc0bb3745146600",
"f4d829739f2d6ba7e3ede83dad428a0ced1a703ec582fc73a4eee3df3704629a","4a52570eeaf9d27722377865df312e295a7a23c3b6eb991944c2ecd707cc9906","831e1ea13a1bd405f5bda2b9d8f2265f7b1db6c668dd2165ccc8a9c4c15ea7dd","0a9b8df968df41920b6ff07785cbfebe8bda29e6b512c94a3b2a83d10014d2fd",
"4c2ea8193f4a5db63b897a2d3ce127cc5d89687f380b97a1d91e0c8db542e4f8","e7cd605568c38bd6e0aba31045e1633205d0598c607a855e2e1bca4cca1c6eda","078a9e5c6c787e5532a7e728720cbafee9021bfec4a30e3c2be110748d7c43c5","b4169a831292e245ebdffedd5820584d73b129411546e7d3eccf4663d5fc5be3",
"7add554a98d3a99b319f2127688356c1283ed073a084805f14e33b4f6a6126fd","fcc2765305bcd213b7558025b2039df2265c3e0b6401e4833123c461df2de51a"]);
let SusFileNames = dynamic(["loader1","uffhxpSy","loader2","3yzr31vk","s047t5g"]);
DeviceFileEvents
| where TimeGenerated > ago(90d) //according to https://notepad-plus-plus.org/news/hijacked-incident-info-update/, timeline of attack starts June 2025. Ideally search as far back to June as you can
| where SHA256 in~ (FileHashes) or FileName in~ (SusFileNames)Explanation
This query is designed to search through device file events to identify potentially malicious activity related to known threats. Here's a simple breakdown of what it does:
-
Define Known Threats:
- It starts by defining a list of known malicious file hashes (
FileHashes) and suspicious file names (SusFileNames). These are identifiers of files that are known to be associated with malicious activity.
- It starts by defining a list of known malicious file hashes (
-
Search Device File Events:
- The query looks at
DeviceFileEvents, which is a log of file-related activities on devices.
- The query looks at
-
Filter by Time:
- It filters the events to only include those that occurred in the last 90 days. This is based on a timeline of a known attack that started in June 2025, so the query aims to capture relevant events from as far back as possible.
-
Match Known Threats:
- It further filters the events to find those where the file's SHA256 hash matches any in the
FileHasheslist or where the file name matches any in theSusFileNameslist. Thein~operator is used for case-insensitive matching.
- It further filters the events to find those where the file's SHA256 hash matches any in the
In summary, this query is used to identify potentially malicious file activities on devices by checking for known malicious file hashes and suspicious file names within a specified timeframe.
Details

Jay Kerai
Released: February 2, 2026
Tables
DeviceFileEvents
Keywords
DeviceFileEventsTimeGeneratedSHA256Name
Operators
letdynamicin~whereago