Notepad++ Supply Chain Attack: Chinese State Hackers Hijacked Software Updates for Months
Lotus Blossom APT Delivered the Custom "Chrysalis" Backdoor Through Trusted Update Channels
Date: February 3, 2026 Primary Source: Notepad++ Official Disclosure, Kaspersky SecureList, Rapid7 Attribution
On February 2, 2026, Notepad++ maintainer Don Ho publicly disclosed that the application's update infrastructure had been compromised by a Chinese state-sponsored threat actor for approximately six months β from June through December 2025. The attackers hijacked the hosting provider's server that manages Notepad++ updates, selectively redirecting update traffic for targeted users to malicious servers that delivered trojanized installers carrying a sophisticated, previously undocumented backdoor called Chrysalis.
With Notepad++ installed on millions of machines worldwide β including developer workstations, IT admin jump boxes, and production servers β this supply chain compromise represents a serious threat vector for any organization that relies on the editor.
At White Cloud Security, we continue to track and report new hacking methods and tools β not just because of its immediate threat, but because patterns of reuse often expose the playbooks of these cybercriminal groups.
π§ Overview
Notepad++ uses a custom updater component called WinGUp (Windows Generic Update Process) to check for and install new versions. The attackers did not compromise the Notepad++ source code itself β instead, they compromised the hosting provider's shared server that delivers update manifests and installer binaries. This gave them the ability to intercept update requests and redirect specific users to attacker-controlled infrastructure serving poisoned installers.
The attack was highly selective. Rather than pushing malware to every Notepad++ user, the threat actors targeted specific organizations in telecommunications, government, financial services, and IT service providers across Vietnam, El Salvador, Australia, and the Philippines. This surgical approach kept the campaign undetected for months.
Multiple security firms β including Rapid7 and Kaspersky β independently analyzed the attack. Rapid7 attributed the campaign with medium confidence to Lotus Blossom (also tracked as Billbug, Bronze Elgin, Lotus Panda, Raspberry Typhoon, Spring Dragon, and Thrip), a Chinese state-sponsored APT group with a long history of espionage operations targeting Southeast Asian governments and critical infrastructure. The Hacker News separately reported attribution to Violet Typhoon (APT31), indicating possible overlapping or cooperative operations between Chinese APT clusters. (The Hacker News, BleepingComputer)
π¨ Threat Summary
| Field | Detail |
|---|---|
| Threat Actor | Lotus Blossom (Billbug / Raspberry Typhoon / Spring Dragon) |
| Also Linked To | Violet Typhoon (APT31) |
| Attack Type | Software supply chain compromise |
| Attack Vector | Hijacked update infrastructure at hosting provider level |
| Active Period | June 2025 β December 2025 (~6 months) |
| Malware Delivered | Chrysalis backdoor, Cobalt Strike Beacons, Metasploit loaders |
| Targeted Industries | Government, telecom, financial services, IT services |
| Targeted Regions | Vietnam, El Salvador, Australia, Philippines |
| Versions Lacking Verification | Notepad++ versions prior to 8.8.9 |
| Signature Enforcement | Mandatory starting v8.9.2 (expected within one month) |
| Public Disclosure | February 2, 2026 |
| IOCs Published By | Kaspersky (SecureList), Rapid7 |
π Technical Analysis
How the Attack Works
The attack exploited weaknesses in Notepad++'s update verification controls and the hosting provider's infrastructure security. Here is the kill chain:
- Infrastructure compromise β Attackers compromised the shared hosting server managing
notepad-plus-plus.org, gaining the ability to intercept and manipulate HTTP traffic. (MITRE T1195.002: Supply Chain Compromise) - Selective traffic redirection β Instead of broadly poisoning updates, the attackers selectively redirected update requests from targeted IP ranges to attacker-controlled servers hosting malicious update manifests.
- Trojanized installer delivery β Targeted users received a poisoned
update.exeβ an NSIS (Nullsoft Scriptable Install System) installer β through WinGUp's normal update workflow. The user experience appeared identical to a legitimate update. (MITRE T1036: Masquerading) - DLL sideloading β The NSIS installer dropped a legitimate signed binary (
BluetoothService.exe, a renamed Bitdefender Submission Wizard) alongside a maliciouslog.dll. When the legitimate binary executed, it automatically loaded the attacker's DLL. (MITRE T1574.002: DLL Side-Loading) - Shellcode decryption and execution β The sideloaded
log.dlldecrypted an encrypted shellcode payload (BluetoothServicefile) and executed it in memory. (MITRE T1140: Deobfuscate/Decode Files or Information) - Backdoor deployment β The final payload was the Chrysalis backdoor, or in earlier attack chains, Cobalt Strike Beacons delivered via Metasploit downloaders.
- Persistent credential access β Even after the hosting provider patched its server kernel on September 2, 2025, the attackers retained access to internal service credentials (SSH, FTP/SFTP, database) until December 2, 2025 β three additional months of potential access. (MITRE T1078: Valid Accounts)
The Chrysalis Backdoor
Chrysalis is a custom, feature-rich implant purpose-built for espionage operations. Rapid7 described it as "a sophisticated and permanent tool, not a simple throwaway utility." Key capabilities include:
- System reconnaissance β Gathers system information, running processes, and network configuration
- Interactive shell access β Spawns interactive command shells via HTTP response processing
- File operations β Upload, download, create, modify, and delete files on the target system
- Process manipulation β Create and manage processes on the compromised endpoint
- Cobalt Strike integration β Deploys Cobalt Strike Beacons via custom loaders for additional C2 flexibility
- Self-uninstall β Can remove itself from the system to avoid forensic detection
- Microsoft Warbird obfuscation β One variant (
ConsoleApplication2.exe) used Microsoft's undocumented internal Warbird code protection framework, adapted from a proof-of-concept published by Cirosec in September 2024 - Custom API hashing β Both the loader and main module use independent API resolution logic to evade static analysis
- C2 communication β Communicates with
api.skycloudcenter[.]comusing structured HTTP GET/POST requests to/api/update/v1,/api/FileUpload/submit, and/api/Metadata/submitendpoints
Three Distinct Attack Chains
Kaspersky's analysis revealed that the attackers rotated their tactics over four months (JulyβOctober 2025):
| Chain | Period | Delivery | Payload | Technique |
|---|---|---|---|---|
| #1 | Late July β Early August | 45.76.155[.]202/update/update.exe |
Cobalt Strike Beacon via Metasploit | ProShow DLL sideloading exploit |
| #2 | September β October | Same initial vector | Cobalt Strike Beacon | Compiled Lua script shellcode injection via EnumWindowStationsW API |
| #3 | October | 45.32.144[.]255/update/update.exe |
Chrysalis backdoor | log.dll sideloading with BluetoothService.exe |
β οΈ Why Traditional Defenses Struggle
This attack is particularly difficult for detection-based security tools to catch in time:
- Trusted delivery channel β The malware arrives through Notepad++'s own update mechanism. EDR products that trust signed updater processes may not inspect the payload closely enough.
- Legitimate binary sideloading β The attack chain uses signed, legitimate executables (Bitdefender Submission Wizard, ProShow, Trend Micro binaries) to load malicious DLLs. These signed binaries are often on AV/EDR allowlists.
- Surgical targeting β Only a handful of organizations received the poisoned update. Broad threat intelligence feeds may never see the malicious samples, reducing signature coverage.
- Rapid payload rotation β The attackers changed C2 addresses, downloaders, and final payloads approximately monthly, minimizing the window for signature-based detection.
- In-memory execution β The final Chrysalis payload is decrypted and executed from memory via shellcode, reducing on-disk artifacts that traditional AV scans would catch.
- Undocumented obfuscation β The use of Microsoft Warbird, custom API hashing, and XOR-encrypted Beacon configurations (key:
CRAZY) defeats most static analysis approaches.
By the time a behavioral detection engine observes suspicious activity β if it does at all β the backdoor is already running, system data has been exfiltrated, and the attacker has an interactive shell.
π‘ How White Cloud Security Trust Lockdown Stops This Attack
Default-Deny Blocks the Entire Kill Chain
White Cloud Security Trust Lockdown operates on a fundamentally different security model: nothing runs unless it has been explicitly approved. Here is how that model maps to each step of the Notepad++ supply chain attack:
| Attack Step | What Happens Without WCS | What Happens With WCS |
|---|---|---|
Trojanized update.exe delivered |
NSIS installer executes normally | Blocked (1st block point) β update.exe is an unknown executable with no matching handprint in the trust list. This is the first place Trust Lockdown stops the attack chain β before any payload is ever unpacked or dropped. |
BluetoothService.exe dropped and executed |
Legitimate signed binary runs, loads DLL | May run β if the legitimate Bitdefender binary's handprint or signing certificate was previously approved within the endpoint's Security Group trust scope, Trust Lockdown allows it. This is correct behavior: the binary itself is not malicious. |
log.dll sideloaded |
Malicious DLL loads in the context of the signed binary | Blocked (2nd block point) β even in the unlikely scenario where the trojanized installer somehow ran, this is the second place Trust Lockdown stops the attack. The malicious log.dll has no approved handprint in the trust list. WCS evaluates every executable component independently β even DLLs loaded by an approved process. The sideloading trick is irrelevant because Trust Lockdown does not inherit trust from a parent process to its loaded libraries β except for those parents which are explicitly approved to run unsigned DLLs and scripts (e.g., RMM agents, JS-based apps). BluetoothService.exe would never be granted that exception. |
| Chrysalis shellcode decrypted in memory | Backdoor activates, contacts C2 | Never reached β execution was blocked at the installer stage |
| Cobalt Strike Beacon deployed | Attacker gains interactive C2 access | Never reached β the entire chain is stopped before any payload executes |
Handprint Identity Verification
WCS identifies every executable file using its handprint β a composite identity consisting of multiple cryptographic hashes plus the file's byte length. This is not signature-based detection. It is identity verification.
A trojanized update.exe β no matter how convincingly it mimics a legitimate Notepad++ installer β will have a different handprint than the real one. Unless an administrator has explicitly approved that specific file identity, it cannot run. Period.
This is the critical difference: detection-based tools ask "does this file look malicious?" WCS asks "has this exact file been approved to run?" The attacker's sideloading strategy depends on a trusted parent process blindly loading whatever DLL is placed next to it β but Trust Lockdown evaluates every loaded component independently. Even if BluetoothService.exe is approved to run on an endpoint, the malicious log.dll it attempts to load is a completely separate file with its own handprint. That handprint is not on the trust list, so the DLL is blocked and the attack chain dies.
Trust Profiles and Certificate-Based Trust
For organizations that want to trust Notepad++ updates broadly, WCS supports Trust Profiles based on admin-approved code-signing certificates. An administrator can approve Notepad++'s legitimate signing certificate, allowing genuine updates to install automatically.
However, in this attack, the trojanized installers and the Chrysalis backdoor components were not signed with Notepad++'s certificate β they used DLL sideloading of legitimate third-party binaries (Bitdefender, ProShow) alongside unsigned or differently-signed malicious payloads. Trust Profiles based on Notepad++'s certificate would correctly allow the real Notepad++ but block every component of the attack chain.
π§ What WCS Users Should Do Right Now
Even though WCS Trust Lockdown blocks this attack chain by default, we recommend these steps:
Immediate Actions
- Verify your Notepad++ version. If you are running a version prior to 8.8.9, update immediately by downloading the installer manually from notepad-plus-plus.org β do not rely on the auto-updater for this specific update.
- Review your WCS execution logs. Check for any blocked execution attempts involving
update.exe,BluetoothService.exe,log.dll, orProShow.exethat originated from Notepad++ directories between June and December 2025. Any blocked attempts would indicate your organization was targeted. - Scan for IOC file paths. Check for the presence of these paths on endpoints:
%APPDATA%\Bluetooth\BluetoothService(encrypted shellcode)%APPDATA%\Adobe\Scripts\alien.ini(Lua payload)%APPDATA%\ProShow\load(exploit payload)
Indicators of Compromise
Malicious C2 Domains and IPs:
| Indicator | Type | Context |
|---|---|---|
api.skycloudcenter[.]com |
Domain | Chrysalis backdoor C2 |
cdncheck.it[.]com |
Domain | Cobalt Strike Beacon C2 |
self-dns.it[.]com |
Domain | Chain #2 Beacon C2 |
safe-dns.it[.]com |
Domain | Chain #2 Beacon C2 |
api.wiresguard[.]com |
Domain | Beacon C2 variant |
45.76.155[.]202 |
IP | Malicious update distribution (Chain #1 and #2) |
45.32.144[.]255 |
IP | Malicious update distribution (Chain #3) |
95.179.213[.]0 |
IP | Late-stage distribution infrastructure |
45.77.31[.]210 |
IP | Cobalt Strike Beacon C2 |
Malicious Distribution URLs:
http://45.76.155[.]202/update/update.exehttp://45.32.144[.]255/update/update.exehttp://95.179.213[.]0/update/update.exe- Filename variants:
install.exe,AutoUpdater.exe
Process Execution Indicators:
notepad++.exeβgup.exeβ suspiciousupdate.exeprocess spawningBluetoothService.exerunning from atypical directoriesProShow.exeorscript.exerunning from%APPDATA%paths- Rapid succession of
whoami,tasklist,systeminfo,netstat -anocommands
β Key Takeaways
- This is a supply chain attack, not a Notepad++ code vulnerability. The attackers compromised the hosting infrastructure, not the application itself. But the impact is the same: users who trusted the update channel received malware.
- Detection-based tools are structurally disadvantaged against supply chain attacks that use signed binary sideloading, in-memory execution, and trusted delivery channels. The attackers specifically designed their tradecraft to evade behavioral detection.
- Default-Deny eliminates the entire attack surface. WCS Trust Lockdown does not need to recognize the Chrysalis backdoor, identify the DLL sideloading technique, or detect the Cobalt Strike Beacon. It simply prevents any unapproved executable from running β full stop.
- WCS users were protected throughout the entire six-month campaign without requiring signature updates, threat intelligence feeds, or analyst intervention. The trojanized payloads could never execute on a Trust Lockdown-protected endpoint.
- Update your Notepad++ to version 8.8.9 or later and plan to adopt 8.9.2 when released for mandatory certificate signature enforcement.