Overview

A coordinated investigation by security researchers and vendors has revealed that state‑linked threat actors abused the official Notepad++ update mechanism as part of a long‑running, highly targeted supply‑chain attack. The campaign leveraged a hosting‑provider compromise to silently redirect software updates and deliver a previously undocumented backdoor, now identified as Chrysalis, attributed to the Chinese APT group Lotus Blossom.
What Happened

According to disclosures from Notepad++’s maintainer and independent research published by The Hacker News and Rapid7, attackers compromised the shared hosting infrastructure used to distribute Notepad++ updates—not the application’s source code itself. This allowed the adversary to intercept and selectively redirect update traffic from the official domain (notepad-plus-plus.org) to attacker‑controlled servers. The activity began as early as June 2025 and remained active until December 2, 2025, despite partial disruption in September when the hosting provider applied kernel and firmware updates. Investigators determined that the attackers retained stolen internal service credentials, enabling continued update redirection for months after losing direct server access.

Rather than mass‑infecting users, the operation was highly selective, with evidence suggesting targeting of telecommunications, financial services, and government‑adjacent organizations—primarily in East and Southeast Asia. Multiple researchers assess the actor as a Chinese state‑sponsored group, consistent with the tactics and victimology observed.

Technical Details: From Update Hijack to Chrysalis

Rapid7’s threat research team linked the compromised update distribution to the delivery of a new malware implant dubbed Chrysalis. Telemetry indicates that execution of legitimate notepad++.exe and its updater (GUP.exe) preceded the download of a malicious NSIS‑based installer (update.exe) from attacker infrastructure.

Key technical characteristics of the Chrysalis toolchain include:

  • NSIS installer abuse to drop multiple payload components
  • DLL sideloading using a renamed legitimate binary (e.g., BluetoothService.exe)
  • Encrypted shellcode execution and in‑memory loading
  • Heavy obfuscation, including API hashing and a loader protected with Microsoft Warbird
  • Encrypted HTTPS command‑and‑control using benign‑looking user‑agent strings
  • Persistence via Windows services or autorun registry key

Once established, Chrysalis provides operators with full remote access, including command execution, file manipulation, and secondary payload deployment—indicative of long‑term espionage objectives.

ctrl:cyber Threat Hunting

ctrl:cyber is actively performing proactive threat hunting across monitored environments to identify indicators associated with the Notepad++ supply‑chain compromise and the Chrysalis backdoor. This includes analysis of endpoint telemetry, process execution chains involving notepad++.exe and GUP.exe, suspicious installer activity, and known post‑exploitation behaviors consistent with Lotus Blossom tradecraft. Should any relevant findings be identified, ctrl:cyber will proactively reach out to the designated point of contact.

Affected Devices

Based on reports, the following assets are considered at risk:

  • Windows systems running Notepad++ that:
    – Used the WinGUp/GUP auto‑updater
    – Requested updates between June and December 2025
    – Were running older versions prior to v8.8.9
  • Enterprise endpoints in targeted sectors (telecom, finance, government, critical infrastructure) that may have received selectively redirected updates
  • Systems exhibiting signs of:
    – Execution of unsigned or unexpected update.exe
    – DLL sideloading from non‑standard directories (e.g., %AppData%\Bluetooth)

Recommended Remediations

While ctrl:cyber continues to monitor, detect, and investigate potential exposure, we strongly recommend security teams and users to take immediate action based on the following guidance to ensure no localised or previously dormant artifacts remain undetected:

  1. Update Immediately
  • Upgrade Notepad++ to v8.8.9 or later, which enforces certificate and signature verification for updates.
  • Future versions introduce XML‑signed update manifests (XMLDSig) for additional integrity assurance.

2. Audit Endpoints

  • Identify systems that updated Notepad++ during June–December 2025.
  • Review process execution history involving notepad++.exe, GUP.exe, and unexpected installers.

3. Hunt for Indicators of Compromise

  • Look for suspicious files and directories in %TEMP% and %AppData%.
  • Detect DLL sideloading behavior and anomalous service or registry‑based persistence.

4. Network and Credential Hygiene

  • Monitor outbound traffic for anomalous HTTPS connections using generic user‑agents.
  • Rotate credentials and restrict egress where possible.

5. Supply‑Chain Hardening

  • Prefer manual verification or internal mirroring of critical third‑party tools.
  • Validate digital signatures on all software updates before deployment.

Should you require further information or have any additional concerns, please feel free to contact the ctrl:cyber team.

Source: Notepad++, Rapid 7, The Hacker News