A stealthy supply chain cyberattack targeting Notepad++ users has been linked to a Chinese state-backed hacking group, exposing a complex malware campaign that went undetected for months.
Quick Summary – TLDR:
- Notepad++ update infrastructure was hijacked, redirecting users to malicious servers.
- Chinese APT group Lotus Blossom deployed a custom malware dubbed Chrysalis.
- Attackers used advanced techniques like DLL sideloading and Microsoft Warbird abuse.
- Victims include government and financial entities across Southeast Asia and Central America.
What Happened?
Security researchers from Rapid7 and Kaspersky uncovered a sophisticated supply chain attack affecting Notepad++, a popular open-source text editor. The attackers compromised the software’s hosting infrastructure, redirecting update traffic to their own servers between June and December 2025.
Instead of exploiting Notepad++ code, the attackers intercepted software updates before they reached users. These malicious updates delivered custom malware and espionage tools to a small, highly targeted group of victims.
🚨 Notepad++ Hack Detailed Along With the IoCs and Custom Malware Used
— Cyber Security News (@The_Cyber_News) February 3, 2026
Source: https://t.co/aPqj1eIDGd
A sophisticated espionage campaign attributed to the Chinese Advanced Persistent Threat (APT) group Lotus Blossom (also known as Billbug).
The threat actors compromised the… pic.twitter.com/UNhHyDUrKI
How the Attack Unfolded?
The breach began in June 2025, when attackers infiltrated a shared hosting provider used by Notepad++. They used stolen internal credentials to redirect update traffic from certain users to attacker-controlled domains, including api.skycloudcenter.com and IP address 95.179.213.0.
According to Notepad++ maintainer Don Ho, the attack targeted users running older versions of the updater, which lacked proper verification mechanisms. The issue was addressed in version 8.8.9, released in December 2025, after the hosting provider migrated to a new platform and rotated all credentials.
Introduction of Chrysalis Malware
Once the fake update was triggered, a renamed Bitdefender tool (BluetoothService.exe) was used to sideload a malicious DLL (log.dll) into a hidden directory within %AppData%. This DLL decrypted and executed the Chrysalis backdoor, a custom-built implant with advanced remote access and evasion features.
Key capabilities of Chrysalis:
- Remote shell access and process execution.
- File transfers and system enumeration.
- Persistence through Windows service and registry.
- Encrypted communication with a now-defunct C2 server that mimicked legitimate API traffic.
The malware’s configuration was encrypted using RC4 and obfuscated with custom algorithms, including FNV-1a hashing and MurmurHash.
Use of Microsoft Warbird and Cobalt Strike
Researchers also found a second-stage loader, ConsoleApplication2.exe, which exploited Microsoft’s undocumented Warbird code protection. This loader embedded Metasploit shellcode and fetched Cobalt Strike beacons from api.wiresguard.com, showing a deliberate mix of custom tools and commodity frameworks.
Additional forensic evidence revealed the use of conf.c, a malicious source file compiled with Tiny-C-Compiler, acting as a dropper for Cobalt Strike payloads via multiple infection chains.
Global Targets and Infection Chains
Kaspersky’s analysis showed at least three distinct infection chains, used to target:
- Government agencies in the Philippines.
- Financial institutions in El Salvador.
- IT providers in Vietnam.
- Individuals in Vietnam, El Salvador, and Australia.
The attackers continuously rotated their command-and-control servers, URLs, and loader behaviors across July to October 2025. They used diverse binaries like AutoUpdater.exe, install.exe, and update.exe hosted at multiple IPs, including 45.76.155.202 and 45.32.144.255.
Indicators of Compromise (IoCs)
Security teams are advised to scan for the following IoCs:
- Files: update.exe, BluetoothService.exe, log.dll, conf.c
- Domains: api.skycloudcenter.com, api.wiresguard.com
- IPs: 95.179.213.0, 61.4.102.97, 45.76.155.202
- Behaviors: Use of NtQuerySystemInformation, suspicious DLL sideloading, hidden AppData executables
SQ Magazine Takeaway
I find this story incredibly alarming. This wasn’t just a quick smash-and-grab. This was a slow, deliberate infiltration of a trusted tool used by millions. What really shocks me is the level of technical craftsmanship. The attackers blended custom malware, warped public research, and ever-shifting infrastructure to keep their operation under the radar. It’s a strong reminder that even open-source projects are not immune. We must be vigilant, especially when our tools auto-update in the background. If your organization uses Notepad++, double-check your update sources and audit systems retroactively.
