State-sponsored Chinese threat actors conducted a months-long supply chain attack against Notepad++, compromising the text editor’s hosting infrastructure to intercept update traffic and deliver poisoned executables to selectively targeted users. The campaign, which ran undetected for roughly six months, highlights the increasing sophistication of attacks targeting trusted software distribution channels.
Attack Architecture
The compromise occurred at the hosting provider level, not through vulnerabilities in Notepad++‘s source code. Attackers gained access to the infrastructure serving notepad-plus-plus.org and used that position to manipulate the software update process.
Notepad++ uses WinGUp, a generic Windows update utility, to check for and download new versions. The attackers exploited a fundamental weakness in WinGUp’s design: its integrity and authenticity verification of downloaded files was insufficient to detect man-in-the-middle interception at the infrastructure layer.
Rather than serving malicious updates to all users — which would have triggered rapid detection — the attackers selectively redirected traffic from specific targets to rogue servers hosting poisoned executables. This targeted approach allowed the operation to persist undetected for an extended period.
Detailed Timeline
| Date | Event |
|---|---|
| June 2025 | Initial compromise of hosting provider infrastructure |
| June – August 2025 | Active targeting of select users via redirected updates |
| September 2, 2025 | Notepad++ migrated away from the compromised hosting provider |
| December 2, 2025 | Attackers lost retained credentials to the former hosting environment |
| Early January 2026 | Incident publicly disclosed following investigation |
| February 2, 2026 | Full technical details published |
Even after the hosting migration in September, the attackers retained credentials that provided some level of access until December — a three-month window where residual risk persisted.
Attribution and Threat Actor Profile
Security researchers have attributed the campaign to Lotus Blossom (also known as Lotus Panda, Billbug, Spring Dragon), a China-linked APT active since at least 2009. Rapid7 Labs and Kaspersky independently confirmed the attribution based on infrastructure overlaps and malware characteristics.
Lotus Blossom background
| Attribute | Details |
|---|---|
| Also known as | Lotus Panda, Billbug, Spring Dragon |
| Active since | 2009 |
| Attribution | China-linked state-sponsored |
| Primary targets | Government, telecom, aviation, critical infrastructure |
| Target regions | Southeast Asia, Central America |
The targeted nature of the attack — routing only specific users to malicious servers — suggests the operators had pre-identified targets of interest, potentially through separate reconnaissance operations or intelligence requirements.
Identified targets (Kaspersky telemetry)
| Target type | Location |
|---|---|
| Government organization | Philippines |
| Financial organization | El Salvador |
| IT service provider | Vietnam |
| Individual users | Vietnam, El Salvador, Australia |
Fewer than 24 machines received malicious updates, demonstrating the highly selective targeting approach.
Maintainer Response
Notepad++ developer Don Ho confirmed the scope of the compromise:
“The attack involved infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org.”
In response, the project has:
- Migrated to a new hosting provider with enhanced security controls
- Released version 8.8.9 with improved update verification mechanisms in WinGUp
- Implemented additional integrity checks for downloaded binaries
The Chrysalis Backdoor
Attackers delivered a previously undocumented backdoor named Chrysalis through trojanized NSIS installers.
Delivery mechanism
| Component | Purpose |
|---|---|
| NSIS installer | Trojanized update package |
| BluetoothService.exe | Renamed legitimate Bitdefender binary |
| log.dll | Malicious DLL for sideloading |
| Shellcode | Decrypted Chrysalis payload |
The attackers used DLL sideloading — a technique where a legitimate, signed executable loads a malicious DLL, making filename-based detection unreliable.
Chrysalis capabilities
| Capability | Description |
|---|---|
| System reconnaissance | Gather detailed system information |
| Command execution | Spawn interactive shell |
| Process creation | Launch arbitrary processes |
| File operations | Read, write, delete files |
| File exfiltration | Upload data to C2 servers |
| Self-removal | Uninstall to eliminate traces |
Command and control
The backdoor contacts api.skycloudcenter[.]com to receive commands via HTTP/HTTPS.
Why This Attack Matters
Supply chain attacks targeting software update mechanisms represent one of the most dangerous vectors in cybersecurity. Users implicitly trust update processes — antivirus tools typically allowlist update traffic, and users are conditioned to accept updates promptly.
This incident shares characteristics with several high-profile supply chain compromises:
- SolarWinds (2020) — Build system compromise delivering backdoored updates
- ASUS Live Update (2019) — Signed malicious updates targeting specific MAC addresses
- CCleaner (2017) — Compromised build environment serving backdoored binaries
The Notepad++ attack is notable for its selectivity — rather than broad distribution, the attackers chose precision targeting, making the compromise harder to detect through statistical analysis of update behavior.
Recommendations
Organizations and individual users should take the following steps:
- Update immediately to Notepad++ version 8.8.9 or later
- Verify installation integrity by comparing file hashes against official checksums published on the Notepad++ GitHub repository
- Monitor network telemetry for historical connections to unexpected servers during Notepad++ update windows (June–September 2025)
- Implement application allowlisting to prevent execution of binaries that don’t match known-good hashes
- Consider update isolation — route software updates through monitored proxy infrastructure where update binaries can be inspected before deployment
- Review EDR logs for any anomalous behavior following Notepad++ updates during the compromise window