The Security Brief

A Technical Post-Mortem of the Notepad++ Supply Chain Compromise

Written by

Josh J

in

, ,

The modern software supply chain is built on a foundation of implicit trust; a trust that users and systems place in update mechanisms to deliver secure patches. When this trust is weaponized, the resulting compromise can bypass even the most robust perimeter defenses. Between June and December 2025, the Notepad++ project became the target of a sophisticated infrastructure-level supply chain compromise attributed to a People’s Republic of China (PRC)-aligned threat actor. The operation, characterized by its selective targeting and operational stealth, used a compromise of the project’s shared hosting environment to manipulate the software’s update mechanism, WinGUp.

This post will break down the technical specifics of the breach, the on-path hijacking mechanism, and the custom malware deployed against high-value targets.

The Infrastructure Breach

The compromise did not originate from a vulnerability in the Notepad++ source code itself, but from a fundamental weakness in the hosting infrastructure. On 2 February 2026, Notepad++ maintainer Don Ho disclosed that the project’s official domain was targeted through an infrastructure-level compromise at their former shared hosting provider.

According to their investigations, the threat actor specifically searched for an targeted the notepad-plus-plus.org domain within the shared environment, ignoring other tenants. This targeted approach allowed the threat actor to intercept and manipulate the server-side logic responsible for handling update requests.

Six-Month Dwell Time

The timeline shows a patient adversary who maintained a foothold for half a year:

  • June 2025: Initial compromise of the shared hosting server.
  • Sept 2, 2025: Attackers lost direct server access following scheduled maintenance that updated the system’s kernel and firmware.
  • Sept – Dec. 2, 2025: Despite losing server access, the attackers retained stolen credentials for internal service accounts. This allowed them to continue redirecting update traffic for an additional three months.

On-Path Redirection

The mechanism for the delivery was a classic on-path infrastructure manipulation. When a user running an older version of Notepad++ checked for updates, the built-in Windows Generic Update Program (WinGUp, or gup.exe) would query the official website.

Request > Redirection > Poisoned manifest > Unverified Execution

This method was highly selective. Rather than a mass infection event, the attackers only redirected specific traffic likely based on the victim’s IP address or organizational profile.

Chrysalis Payload and Multiple Infection Chains

Technical analysis by Rapid7 and Kaspersky has identified at least three distinct infection chains used throughout the campaign to deliver various payloads, most notably a previously undocumented custom backdoor tracked as Chrysalis.

The Chrysalis Backdoor

Chrysalis is a sophisticated, feature-rich implant meant for long-term espionage. It’s capabilities include:

  • Uses Microsoft Warbird code protection and custom API hashing to evade detection.
  • Supports remote command execution, file system and registry enumeration, and process management.
  • Implements a chunked file transfer protocol over its C2 channel to bypass network size limits and mimic legitimate traffic.

Infection Chain Summary

PhaseTechniquePayload
Chain 1 (July/Aug)ProShow DLL sideloadingCobalt Strike Beacon
Chain 2 (Sept)Lua-based execution using legit Lua interpreter dropped in an Adobe themed folderCobalt Strike Beacon
Chain 3 (Oct/Nov)Trojanized installer dropping a renamed Bitdefender binary to sideload log.dllChrysalis Backdoor

Attribution

Several researchers, including Kevin Beaumont (who first reported the issue in December 2025) and Rapid7, have attributed this activity to Lotus Blossom (aka Billbug, Violet Typhoon, APT31).

Lotus Blossom is a Chinese state-sponsored group active since at least 2009, known for targeting government, telecommunications, and finance sectors across Southeast Asia. The precision of the Notepad++ targeting is highly consistent with the group’s historical intelligence requirements.

Targets

The campaign’s impact was concentrated in:

  • Sectors: Telecom, Financial Services, IT Services, Government
  • Regions: Vietnam, Philippines, El Salvador, Australia

By compromising network administrators or engineers at a telecom provider via a trusted tool like Notepad++, the threat actors gain a vantage point for deep reconnaissance across the provider’s entire infrastructure, potentially facilitating further access to downstream high-value targets.

Mitigation and Defense

The Notepad++ maintainers have since migrated to a hardened hosting provider and released security-focused updates.

Recommendations

  1. Ensure all Notepad++ installations are upgraded to version 8.9.1 or later. Versions 8.8.9 implement mandatory signature and certificate verification for all updates.
  2. Remove any custom root certificates that were required for older Notepad++ installations. Official binaries are now signed with valid GlobalSign certificates.
  3. Scan systems for files named AutoUpdater.exe or update.exe in the %TEMP% directory, as these are not legitimate Notepad++ filenames.
  4. Restrict gup.exe from connecting to any domain other than notepad-plus-plus.org or github.com.
  5. Enforce allow-listing for update mechanisms. Consider centrally managing developer utilities rather than allowing unverified, internet-initiated auto-updates.

Technical Indicators of Compromise (IOCs)

TypeValue
C2 Domainapi.skycloudcenter[.]com
C2 Domainapi.wiresguard[.]com
C2 Domaincdncheck.it[.]com
C2 Domainsafe-dns.it[.]com
Exfil Hosttemp[.]sh
Malicious URLhttp://95.179.213%5B.%5D0/update/update.exe
Installer Hash (SHA1)8e6e505438c21f3d281e1cc257abdbf7223b7f5a
Chrysalis Loader Path%AppData%\Bluetooth\log.dll

Works cited

  1. https://fieldeffect.com/blog/chinese-linked-actors-notepad-update
  2. https://cyberunit.com/insights/notepad-plus-plus-supply-chain-attack/
  3. https://community.f5.com/kb/security-insights/f5-threat-report—december-17th-2025/344787
  4. https://www.csoonline.com/article/4126269/notepad-infrastructure-hijacked-by-chinese-apt-in-sophisticated-supply-chain-attack.html
  5. https://thehackernews.com/2026/02/notepad-hosting-breach-attributed-to.html
  6. https://evrimagaci.org/gpt/notepad-updates-hijacked-by-suspected-chinese-hackers-526543
  7. https://www.helpnetsecurity.com/2026/02/03/notepad-supply-chain-attack-iocs-targets/
  8. https://cyberscoop.com/china-espionage-group-lotus-blossom-attacks-notepad/
  9. https://www.infosecurity-magazine.com/news/notepad-update-hijacked/
  10. https://www.wiu.edu/cybersecuritycenter/cybernews.php
  11. https://notepad-plus-plus.org/news/v889-released/
  12. https://www.darkreading.com/application-security/chinese-hackers-hijack-notepad-updates-6-months
  13. https://www.esecurityplanet.com/threats/notepad-update-servers-hijacked-in-targeted-supply-chain-attack/
  14. https://orca.security/resources/blog/notepad-plus-plus-supply-chain-attack/
  15. https://www.techzine.eu/news/devops/137271/vulnerability-in-notepad-updater-exploited-for-malware/
  16. https://doublepulsar.com/small-numbers-of-notepad-users-reporting-security-woes-371d7a3fd2d9
  17. https://www.r3-it.com/blog/supply-chain-attacks-defensive-playbook/

Comments

Leave a comment

More posts