Nation-State Actors Exploit Notepad++ Supply Chain

Between June and December 2025, the state-sponsored group Lotus Blossom compromised the shared hosting environment for Notepad++ updates and intercepted update traffic to serve malicious installers that delivered the Chrysalis backdoor and Cobalt Strike beacons. The campaign used DLL side-loading, Lua script injection and an adversary-in-the-middle filtering capability to selectively target system administrators across Southeast Asia and other regions, prompting Unit 42 to publish detections, IOCs, and mitigation guidance. #LotusBlossom #Chrysalis

Keypoints

The Notepad++ official hosting environment was compromised by the state-sponsored group Lotus Blossom, allowing interception and redirection of update traffic.
Attackers served malicious NSIS installers (commonly named update.exe) to targeted users, resulting in two primary infection chains: Lua script injection delivering Cobalt Strike and DLL side-loading delivering the Chrysalis backdoor.
The campaign specifically targeted administrators and privileged users across sectors including government, telecommunications, cloud hosting, energy, financial, manufacturing and software development, with concentration in Southeast Asia but also impacting South America, the U.S., and Europe.
Chrysalis employed advanced evasion (Microsoft Warbird code protection, custom API hashing) and persistence techniques; attackers misused a legitimate Bitdefender component (BluetoothService.exe) to load a malicious log.dll.
Unit 42 observed multiple malicious infrastructure items and C2 servers (e.g., 45.76.155[.]202, 45.77.31[.]210, 45.32.144[.]255) and provided XDR/XQL detections and hunting queries to identify compromise activity.
Notepad++ and the vendor mitigations: recommend manually updating to v8.9.1 (with WinGup enhancements in v8.8.9), enforcing XML signature and certificate verification, and migrating hosting to a more secure provider; Palo Alto Networks products provide additional protections and incident response assistance.

MITRE Techniques

[T1574.001 ] DLL Side-Loading – Used to load a malicious library via a legitimate Bitdefender component to execute the Chrysalis backdoor (‘…misused a legitimate Bitdefender component (BluetoothService.exe) to load a malicious library (log.dll) that decrypted and executed a custom backdoor.’)
[T1480.002 ] Mutex creation / persistence indicator – Chrysalis is associated with a specific global mutex used as an indicator (‘…filter mutex = “GlobalJdhfv_1.0.1″‘)
[T1036.005 ] Masquerading (anomalous updater file writes) – Detection for instances where the Notepad++ updater (gup.exe) writes unexpected files to temp locations, indicating masqueraded or deceptive update activity (‘…Detects cases where the Notepad++ updater (gup.exe) writes files to a temp folder that that deviate from the normal and expected.’)
[T1036.001 ] Masquerading (improperly signed installer detection) – Identification of gup.exe downloading installers that are not properly signed or not signed by Notepad++ to detect fake update installers (‘…GUP.exe Downloading Improperly Signed Installer’)
[T1202 ] Indirect Command Execution – Detection of gup.exe spawning unusual subprocesses that deviate from expected child processes, used to detect execution of malicious installers or scripts (‘…GUP.exe Spawning Unusual Subprocesses’)

Indicators of Compromise

[File Hashes ] Malicious installer/backdoor hashes – 1f6d28370f4c2b13f3967b38f67f77eee7f5fba9e7743b6c66a8feb18ae8f33e, a3cf1c86731703043b3614e085b9c8c224d4125370f420ad031ad63c14d6c3ec, and 1 more hash
[Domains ] Malicious or infrastructure domains used for updates and DNS endpoints – skycloudcenter[.]com, self-dns[.]it[.]com, and 2 more domains (safe-dns[.]it[.]com, cdncheck[.]it[.]com)
[IPv4 Addresses ] Command-and-control and download hosts – 45.76.155[.]202, 45.77.31[.]210, and 4 more IPs (45.32.144[.]255, 95.179.213[.]0, 61.4.102[.]97, 59.110.7.32)
[URLs / Download Paths ] Malicious update payload locations observed – 45[.]76[.]155[.]202/update/update.exe, 45[.]32[.]144[.]255/update/update.exe, and other paths such as 95[.]179[.]213[.]0/update/AutoUpdater.exe
[File Names / Components ] Malicious or abused filenames and libraries – update.exe (NSIS installer), log.dll (malicious library sideloaded), and BluetoothService.exe (renamed legitimate component abused for sideloading)