Notepad++ Supply Chain Attack Delivers Chrysalis

Executive Summary

A China-linked Threat Actor, Lotus Blossom, has been attributed with medium confidence to a supply chain compromise targeting the infrastructure of the popular open-source editor, Notepad++. The adversary compromised the hosting provider to hijack update traffic, selectively delivering a previously undocumented backdoor named Chrysalis to users running outdated versions of the software. The activity occurred between June 2025 and December 2, 2025. The attack vector exploited insufficient update verification controls, which have since been patched. The actor leveraged a mix of custom malware and commodity frameworks, demonstrating an evolution in tradecraft.

Key Findings

Attribution

Analysis by Rapid7 attributes the attack to Lotus Blossom (also known as Billbug, Bronze Elgin, Lotus Panda, Raspberry Typhoon, Spring Dragon, and Thrip) with medium confidence. This attribution is based on tactical overlaps with prior campaigns, specifically the use of DLL side-loading with legitimate security vendor executables.

Attack Vector

The primary vector was the compromise of the Notepad++ hosting provider. This allowed the adversary to perform targeted traffic redirection for update requests. Users with older versions of Notepad++ were selectively redirected to malicious servers to download a tampered update.

Exploited Vulnerability

The threat actor exploited insufficient update verification controls in Notepad++ versions prior to 8.8.9. This weakness allowed the tampered update package to be executed without proper validation. The vulnerability was patched in December 2025.

Attack Timeline

The malicious activity began in June 2025. The threat actor's access to the compromised hosting provider was terminated on December 2, 2025. Notepad++ has since migrated to a new, more secure hosting provider and rotated all credentials.

Technical Analysis

Infection Chain

The attack sequence begins with the legitimate execution of notepad++.exe and its updater, GUP.exe. The compromised infrastructure redirects the update process to download a malicious installer, update.exe, from the IP address 95.179.213.0.

Malware Components

The update.exe file is a Nullsoft Scriptable Install System (NSIS) installer containing several components:

BluetoothService.exe: A renamed, legitimate version of the Bitdefender Submission Wizard, used to facilitate a DLL side-loading attack.
log.dll: A malicious DLL that is side-loaded by BluetoothService.exe.
BluetoothService: The encrypted Chrysalis shellcode payload, which is decrypted and executed by log.dll.

Payload: Chrysalis Backdoor

Chrysalis is a bespoke, feature-rich implant. Upon execution, it gathers system information and establishes contact with a command-and-control (C2) server at api.skycloudcenter[.]com. While the C2 is currently offline, analysis reveals the backdoor's capabilities include spawning an interactive shell, creating processes, performing file operations, uploading/downloading files, and self-uninstallation.

Advanced Adversary Tradecraft

The analysis identified further tooling, including a custom loader for a Cobalt Strike beacon. This loader, named ConsoleApplication2.exe, is notable for its use of Microsoft Warbird, an undocumented internal code protection and obfuscation framework. The actor adapted a public proof-of-concept for this technique released by Cirosec in September 2024. This rapid weaponization of public research, combined with the use of custom malware (Chrysalis) and commodity tools (Metasploit, Cobalt Strike), highlights the actor's evolving and adaptive playbook.

Mitigation & Response

Immediate Actions

All users of Notepad++ must ensure they are running version 8.8.9 or later to patch the exploited update verification weakness.

Threat Hunting

Security teams should hunt for the IOCs provided below. Specifically, search network logs for any communication with the malicious IP or C2 domain. Forensically examine systems for the presence of the malicious update.exe installer or evidence of DLL side-loading using BluetoothService.exe.