Query Details
Notepad Chrysalis Backdoor Network IO Cs
Query
// Reference: https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
DeviceNetworkEvents
| where TimeGenerated > ago(90d) //according to https://notepad-plus-plus.org/news/hijacked-incident-info-update/, timeline of attack starts June 2025. Ideally search as far back to June as you can
| where RemoteIP has_any("95.179.213.0","61.4.102.97","59.110.7.32","124.222.137.114") or RemoteUrl has_any("wiresguard.com","skycloudcenter.com")
Explanation
This KQL (Kusto Query Language) query is designed to search through network event logs to identify potential malicious activity related to a specific cyber attack. Here's a simplified breakdown of what the query does:
-
Data Source: It looks at the
DeviceNetworkEventstable, which contains records of network activities on devices. -
Time Filter: The query filters the data to include only events that occurred in the last 90 days. This is based on the assumption that the attack's timeline starts in June 2025, so the query aims to capture relevant events as far back as possible.
-
IP and URL Filtering: The query further narrows down the results by checking if the network events involve specific IP addresses or URLs associated with the attack. It looks for events where the
RemoteIPmatches any of the following IP addresses: "95.179.213.0", "61.4.102.97", "59.110.7.32", or "124.222.137.114". Additionally, it checks if theRemoteUrlmatches either "wiresguard.com" or "skycloudcenter.com".
In summary, this query is used to identify network events that might be linked to a known cyber attack by filtering for specific IP addresses and URLs within a recent timeframe.
Details
Jay Kerai
Released: February 2, 2026
Tables
Keywords
Operators