Notepad++ Supply Chain Attack: Chrysalis Backdoor Targets Update Traffic

Notepad++ users were quietly targeted in a months‑long supply‑chain campaign that did not break the editor’s source code but instead abused its update infrastructure: attackers intercepted and selectively redirected update traffic for certain users between June and December 2025, delivering a custom backdoor dubbed Chrysalis and achieving hands‑on‑keyboard access on targeted systems. The incident exposed a weak link common to many Windows apps — an updater that trusted where downloads came from — and it leaves a narrow but urgent checklist for both home users and enterprise defenders to determine exposure and remediate systems that may have been touched.

Background / Overview​

Notepad++ is one of the most widely used Windows text editors, popular with developers and IT pros. In late 2025 the project’s developer revealed that the update flow for Notepad++ had been intercepted at the hosting provider level. When the program’s built‑in updater (WinGUp / gup.exe) requested the latest installer, certain requests for a subset of users were redirected to attacker‑controlled servers that served a trojanized installer instead of the genuine Notepad++ binary.
The timeline released by the project and corroborated by independent researchers runs roughly as follows:

• June 2025: attackers first gained the ability to redirect update traffic.
• September 2, 2025: the compromised shared server had kernel/firmware updates applied; direct access was disrupted.
• September–December 2, 2025: attackers retained credentials to internal services and could continue redirecting some update traffic.
• November 18, 2025: Notepad++ released v8.8.8 to restrict updates to GitHub as an immediate mitigation.
• December 9, 2025: Notepad++ released v8.8.9 adding signature and certificate checks to the updater.
• December 27, 2025: additional updates and hardening were published.

Independent threat researchers at Rapid7 analyzed samples recovered from this campaign, named the custom backdoor Chrysalis, and linked artifacts and tactics to a long‑running espionage actor often tracked as Lotus Blossom. Attribution is presented with the normal caveats — it is an analyst assessment based on tooling, reuse of techniques, and victimology — not an irrefutable public confession by the attackers.

---

How the attack worked: a technical primer​

Where the trust broke down​

The attack exploited a classic supply‑chain/updates trust problem: the updater trusted the update source or failed to enforce robust verification on downloaded installers. The built‑in updater sequence looked like this in affected versions:

• gup.exe contacted the updater endpoint and requested the download URL (gup.xml).
• gup.exe downloaded the installer to the user’s %TEMP% folder.
• The updater executed the downloaded file.

Because the hosting provider's infrastructure was compromised, attacker‑controlled manifests pointed targeted clients at a malicious installer rather than the signed Notepad++ release. In earlier updater versions the validation of the installer signature and the authenticity of the update manifest were insufficient or absent, which made redirection exploitable when combined with interception at ISP or hosting layers.

The Chrysalis backdoor and loaders​

Rapid7’s technical analysis identified a multi‑stage chain and a modular implant now called Chrysalis. The high‑level execution chain observed in multiple incidents included:

• A trojanized NSIS installer (commonly named update.exe) that dropped a hidden folder under %AppData% (named “Bluetooth”) with files like BluetoothService.exe and log.dll.
• Use of a legitimate, renamed Bitdefender Submission Wizard binary to perform DLL sideloading, forcing the launcher to load the malicious log.dll.
• Log.dll decrypting and executing shellcode which unpacks and runs the Chrysalis backdoor.
• Chrysalis using advanced evasion techniques (custom API hashing, layered obfuscation, and bespoke decryption routines), with capabilities for file operations, an interactive shell, remote process execution, and self‑removal.
• Network communications to HTTP(S) C2 endpoints that were designed to masquerade as benign traffic.

This is not a commodity infostealer: Chrysalis is engineered for persistence and stealth, and the campaign’s tooling and procedures indicate a targeted espionage operation rather than opportunistic mass infection.

What made the campaign targeted and stealthy​

• Selective redirection: the attackers did not try to hit every Notepad++ user. Instead they selected which update requests to redirect, reducing noise and avoiding detection by mass malware telemetry.
• Hosting compromise level: by intruding at the shared hosting level and retaining internal credentials, the adversary could manipulate only specific update flows without modifying the Notepad++ project itself.
• Use of legitimate binaries for sideloading: leveraging signed or common vendor executables made initial execution less suspicious to casual inspection and to some endpoint defenses.

---

Who appears to have been targeted​

Multiple independent researchers report that the victims identified publicly or privately were primarily organizations with ties to East and Southeast Asia, including targets in telecom, government‑adjacent, aviation, and media sectors. Rapid7 linked the campaign’s patterns and tooling to the APT cluster known as Lotus Blossom (also tracked under other names), a group historically associated with strategic espionage in that region.
A critical caveat: public reporting to date describes only a small number of confirmed incidents. The operation’s targeted nature means most Notepad++ users were likely not exposed, especially those who downloaded installers directly from the project’s official site after the fixes, or who updated to patched versions that verify signatures.

---

How to check if you might be affected — practical detection steps​

If you used Notepad++ and ran the built‑in updater at any time between June and December 2, 2025, there are concrete artifacts and logs to check. Treat any positive finding as potentially serious.
Quick checks (home users and admins):

• Look in %TEMP% for unexpected files named update.exe, AutoUpdater.exe, or other NSIS executables you don’t recognize. If you find them, preserve copies for analysis.
• Inspect %APPDATA% for a hidden folder named Bluetooth (or other odd, newly created folders) and files such as BluetoothService.exe and a suspicious log.dll.
• Check your Windows Event Logs and the Notepad++ update directory for entries around the time you noticed an update; the updater writes a manifest lookup and download activity.
• On endpoints with EDR: search for processes that spawned %TEMP%\update.exe or for gup.exe spawning child processes around update times.
• Network logs: hunt for HTTPS requests resolving to unusual domains (research has shown the Chrysalis C2 patterns attempted to mimic benign API patterns).
• If you have file integrity monitoring or SIEM, look for the file hashes published by analysts for the malicious artifacts — prioritize these for detection. (Hashes and IoCs have been published by security vendors and should be used only as part of a validated detection process.)

If you operate in a corporate environment:

• Query endpoint telemetry for gup.exe process execution and any child processes that write to %TEMP% or spawn update.exe.
• Use EDR to run a memory image analysis on hosts that show suspicious updater activity.
• Search outbound proxy and DNS logs for connections to known malicious domains or to previously unseen external hosts immediately following update activity.

If you find suspicious artifacts, disconnect the host from the network and escalate to your incident response team. Do not simply delete files and assume the system is clean; the attackers’ post‑exploitation activity can include lateral movement and additional implants.

---

Quick remediation checklist: what to do now​

Follow this ordered checklist; use conservative, forensically sound steps if you suspect compromise.

• Confirm your Notepad++ version. If you are on a release earlier than 8.8.9, manually download and install the latest official release using an installer obtained directly from the Notepad++ project and not from third‑party mirrors. The developer’s own guidance recommends using 8.9.1 or later.
• If you suspect a host was infected, isolate it from the network immediately (unplug, disable Wi‑Fi) to stop potential data exfiltration or lateral movement.
• Preserve forensic evidence: capture a memory image and copy relevant log files (%TEMP%, %APPDATA%, Windows Event Logs) before any cleaning attempt.
• Run a full EDR/AV scan with up‑to‑date signatures and compare results against published IoCs from reputable vendors; cross‑check findings with sandbox analysis.
• Rotate credentials for accounts accessed on suspected hosts, and assume compromised credentials should be replaced (especially service accounts and admin accounts).
• Where compromise is confirmed or strongly suspected, perform a rebuild from known good media rather than relying solely on anti‑malware removal.
• Confirm infrastructure hardening: ensure the Notepad++ website and update host endpoints you rely on are not cached or routed through compromised proxies within your environment.
• For enterprises: notify customers and partners if sensitive data may have been exposed, and coordinate with legal and compliance teams for disclosure obligations.

---

Detection artifacts and indicators (what analysts have found)​

Security teams that have publicly analyzed the campaign have published specific artifacts and hashes associated with the malicious installer and loader(s). Common artifacts mentioned in multiple reports include:

• NSIS installer file typically named update.exe (hashes have been shared by incident responders).
• Hidden %APPDATA%\Bluetooth folder containing BluetoothService.exe and log.dll.
• Use of a renamed Bitdefender Submission Wizard binary for DLL sideloading.
• Malicious DLL (log.dll) performing decryption and loading of shellcode that executes Chrysalis.
• Chrysalis C2 patterns that imitate benign API endpoints to blend into normal HTTP(S) traffic.

Because the IoCs are time‑sensitive and analysts have continued to update lists, defenders should rely on their security vendors’ threat intelligence feeds and incorporate Rapid7’s published telemetry if available to them. If you are an admin and would like precise hashes, obtain them from your trusted threat intel provider or vendor rather than random public forums.

---

Enterprise guidance: containment, hunt, and hardening​

For organizations, the Notepad++ incident is a reminder that even small utilities can be a strategic vector.
Recommended actions for security teams:

• Hunt for the exact execution pattern: Notepad++ -> gup.exe -> download->%TEMP%\update.exe -> child process <suspicious>.
• Use network telemetry to look for unusual outbound TLS connections initiated around Notepad++ update times; the Chrysalis C2 behavior attempted to mimic other APIs but still left anomalous patterns.
• Query sysmon or endpoint logs for DLL sideloading events and for processes that load unexpected modules from nonstandard locations.
• Check for lateral movement indicators immediately following any detected implant activity.
• Validate backup integrity and, if hosts were compromised, rebuild from clean images and rotate service credentials.
• Review procurement and vendor relationships with hosting providers: the root cause here involved a compromised shared hosting server. Enterprises should demand stricter multi‑tenant isolation and transparency from hosted‑service providers, particularly for anything that publishes update manifests or binaries.

Hardening the update supply chain:

• Enforce code signing checks on every client update and make signature verification non‑bypassable.
• Sign and verify update manifests (XMLDSig or equivalent) so a redirection of the download URL cannot substitute an attacker installer.
• Prefer distribution channels that minimize your exposure to a single hosting provider compromise (mirroring to verified repositories, using strong TLS with pinning, and multi‑channel verification).

---

What this means for open‑source projects and users​

This incident demonstrates a core lesson: supply‑chain trust is only as strong as each link in the chain. The Notepad++ codebase was not the flaw; the flaw was in the updater’s trust model and in the hosting environment used to serve update information.
For maintainers:

• Treat your update server as a high‑value target. Harden hosting, rotate credentials frequently, enable multi‑factor and least privilege for admin access, and log and monitor aggressively.
• Implement signed manifests and chain of trust for updates from day one.
• Consider providing checksums and GPG signatures for distributed installers, and make verification steps simple and automatic for users.

For users:

• Prefer manual download and verification if you must be certain of integrity.
• Keep small but high‑utility tools up to date and favor builds that enforce signature checks.
• Reduce the attack surface where possible: avoid running auto‑updates in sensitive environments unless the update path enforces strict verification.

---

What we still don’t know — and what to watch for​

• Attribution confidence: analyst reports attribute the campaign to Lotus Blossom with moderate confidence based on tooling and reuse patterns. Attribution in sophisticated espionage campaigns is never absolute; treat it as one informed assessment among others.
• Scope of impact: public reporting confirms only a small number of victim organizations. Because the actor used selective redirection, the total number of victims may remain low or undisclosed for operational reasons. Organizations should not assume safety simply because they haven’t seen public mention.
• Secondary implants: Chrysalis is a foothold implant. In confirmed compromises, attackers may have deployed additional tools. If a host is suspected, assume the adversary may have done more than the initial implant and act accordingly.

If you are responsible for critical infrastructure, communications, or national security systems and used Notepad++ during the affected period, treat this incident as high priority: coordinate with your incident response vendors and consider proactive threat hunting across your environments.

---

Final assessment and lessons​

This campaign is a textbook modern supply‑chain incident: no intrinsic bug in the application itself; instead, manipulation of distribution and update trust resulted in the delivery of a sophisticated backdoor. The operation’s craftsmanship — selective targeting, staged loaders, use of legitimate binaries for sideloading, and custom obfuscation — all point to a carefully planned espionage campaign aiming to remain under the radar.
Key takeaways:

• Always assume update channels are sensitive — apply signature verification and manifest signing.
• Small developer projects need the same supply‑chain hygiene as enterprise software.
• Selective attacks are harder to detect but no less dangerous; defenders must proactively hunt using both endpoint and network telemetry.
• If you think you are affected, prioritize containment, forensic preservation, and a full rebuild rather than quick fixes.

If you use Notepad++, update to a patched release that enforces certificate and signature checks, scan for the artifacts described here, and follow the remediation steps if you find evidence of compromise. For organizations, treat the incident as an urgent prompt to review update integrity, hosting provider trust, and software distribution assurances across all widely deployed utilities in your environment.
Conclusion: the Notepad++ incident is both a warning and a useful case study. It shows how a relatively small trust misconfiguration in an updater can become an espionage vector — and it gives defenders a clear, actionable list of fixes that will reduce risk not only for Notepad++ users, but for anyone who relies on third‑party updaters in Windows environments.

---

Source: TweakTown Notepad++ hack detailed - and what to do if you think you might be affected