The modern software supply chain is built on a foundation of implicit trust; a trust that users and systems place in update mechanisms to deliver secure patches. When this trust is weaponized, the resulting compromise can bypass even the most robust perimeter defenses. Between June and December 2025, the Notepad++ project became the target of a sophisticated infrastructure-level supply chain compromise attributed to a People’s Republic of China (PRC)-aligned threat actor. The operation, characterized by its selective targeting and operational stealth, used a compromise of the project’s shared hosting environment to manipulate the software’s update mechanism, WinGUp.
This post will break down the technical specifics of the breach, the on-path hijacking mechanism, and the custom malware deployed against high-value targets.
The Infrastructure Breach
The compromise did not originate from a vulnerability in the Notepad++ source code itself, but from a fundamental weakness in the hosting infrastructure. On 2 February 2026, Notepad++ maintainer Don Ho disclosed that the project’s official domain was targeted through an infrastructure-level compromise at their former shared hosting provider.
According to their investigations, the threat actor specifically searched for an targeted the notepad-plus-plus.org domain within the shared environment, ignoring other tenants. This targeted approach allowed the threat actor to intercept and manipulate the server-side logic responsible for handling update requests.
Six-Month Dwell Time
The timeline shows a patient adversary who maintained a foothold for half a year:
- June 2025: Initial compromise of the shared hosting server.
- Sept 2, 2025: Attackers lost direct server access following scheduled maintenance that updated the system’s kernel and firmware.
- Sept – Dec. 2, 2025: Despite losing server access, the attackers retained stolen credentials for internal service accounts. This allowed them to continue redirecting update traffic for an additional three months.
On-Path Redirection
The mechanism for the delivery was a classic on-path infrastructure manipulation. When a user running an older version of Notepad++ checked for updates, the built-in Windows Generic Update Program (WinGUp, or gup.exe) would query the official website.
Request > Redirection > Poisoned manifest > Unverified Execution
This method was highly selective. Rather than a mass infection event, the attackers only redirected specific traffic likely based on the victim’s IP address or organizational profile.
Chrysalis Payload and Multiple Infection Chains
Technical analysis by Rapid7 and Kaspersky has identified at least three distinct infection chains used throughout the campaign to deliver various payloads, most notably a previously undocumented custom backdoor tracked as Chrysalis.
The Chrysalis Backdoor
Chrysalis is a sophisticated, feature-rich implant meant for long-term espionage. It’s capabilities include:
- Uses Microsoft Warbird code protection and custom API hashing to evade detection.
- Supports remote command execution, file system and registry enumeration, and process management.
- Implements a chunked file transfer protocol over its C2 channel to bypass network size limits and mimic legitimate traffic.
Infection Chain Summary
| Phase | Technique | Payload |
| Chain 1 (July/Aug) | ProShow DLL sideloading | Cobalt Strike Beacon |
| Chain 2 (Sept) | Lua-based execution using legit Lua interpreter dropped in an Adobe themed folder | Cobalt Strike Beacon |
| Chain 3 (Oct/Nov) | Trojanized installer dropping a renamed Bitdefender binary to sideload log.dll | Chrysalis Backdoor |
Attribution
Several researchers, including Kevin Beaumont (who first reported the issue in December 2025) and Rapid7, have attributed this activity to Lotus Blossom (aka Billbug, Violet Typhoon, APT31).
Lotus Blossom is a Chinese state-sponsored group active since at least 2009, known for targeting government, telecommunications, and finance sectors across Southeast Asia. The precision of the Notepad++ targeting is highly consistent with the group’s historical intelligence requirements.
Targets
The campaign’s impact was concentrated in:
- Sectors: Telecom, Financial Services, IT Services, Government
- Regions: Vietnam, Philippines, El Salvador, Australia
By compromising network administrators or engineers at a telecom provider via a trusted tool like Notepad++, the threat actors gain a vantage point for deep reconnaissance across the provider’s entire infrastructure, potentially facilitating further access to downstream high-value targets.
Mitigation and Defense
The Notepad++ maintainers have since migrated to a hardened hosting provider and released security-focused updates.
Recommendations
- Ensure all Notepad++ installations are upgraded to version 8.9.1 or later. Versions 8.8.9 implement mandatory signature and certificate verification for all updates.
- Remove any custom root certificates that were required for older Notepad++ installations. Official binaries are now signed with valid GlobalSign certificates.
- Scan systems for files named AutoUpdater.exe or update.exe in the %TEMP% directory, as these are not legitimate Notepad++ filenames.
- Restrict gup.exe from connecting to any domain other than notepad-plus-plus.org or github.com.
- Enforce allow-listing for update mechanisms. Consider centrally managing developer utilities rather than allowing unverified, internet-initiated auto-updates.
Technical Indicators of Compromise (IOCs)
| Type | Value |
| C2 Domain | api.skycloudcenter[.]com |
| C2 Domain | api.wiresguard[.]com |
| C2 Domain | cdncheck.it[.]com |
| C2 Domain | safe-dns.it[.]com |
| Exfil Host | temp[.]sh |
| Malicious URL | http://95.179.213%5B.%5D0/update/update.exe |
| Installer Hash (SHA1) | 8e6e505438c21f3d281e1cc257abdbf7223b7f5a |
| Chrysalis Loader Path | %AppData%\Bluetooth\log.dll |
Works cited
- https://fieldeffect.com/blog/chinese-linked-actors-notepad-update
- https://cyberunit.com/insights/notepad-plus-plus-supply-chain-attack/
- https://community.f5.com/kb/security-insights/f5-threat-report—december-17th-2025/344787
- https://www.csoonline.com/article/4126269/notepad-infrastructure-hijacked-by-chinese-apt-in-sophisticated-supply-chain-attack.html
- https://thehackernews.com/2026/02/notepad-hosting-breach-attributed-to.html
- https://evrimagaci.org/gpt/notepad-updates-hijacked-by-suspected-chinese-hackers-526543
- https://www.helpnetsecurity.com/2026/02/03/notepad-supply-chain-attack-iocs-targets/
- https://cyberscoop.com/china-espionage-group-lotus-blossom-attacks-notepad/
- https://www.infosecurity-magazine.com/news/notepad-update-hijacked/
- https://www.wiu.edu/cybersecuritycenter/cybernews.php
- https://notepad-plus-plus.org/news/v889-released/
- https://www.darkreading.com/application-security/chinese-hackers-hijack-notepad-updates-6-months
- https://www.esecurityplanet.com/threats/notepad-update-servers-hijacked-in-targeted-supply-chain-attack/
- https://orca.security/resources/blog/notepad-plus-plus-supply-chain-attack/
- https://www.techzine.eu/news/devops/137271/vulnerability-in-notepad-updater-exploited-for-malware/
- https://doublepulsar.com/small-numbers-of-notepad-users-reporting-security-woes-371d7a3fd2d9
- https://www.r3-it.com/blog/supply-chain-attacks-defensive-playbook/
The Security Brief 