Between June and December 2025, the update infrastructure for the popular text editor Notepad++ was compromised, allowing threat actors to distribute malicious updates to targeted users. The breach originated from an incident at the hosting provider level, which granted the attackers access to internal services for several months.
During this period, three distinct infection chains were observed, targeting organizations in the government, financial, and IT sectors across Vietnam, El Salvador, Australia, and the Philippines [1].
In this blog post, we map out the full timeline of the incident, from the initial infrastructure breach in June to the final remediation in December 2025. We break down the three specific infection chains attackers used, including the abuse of legitimate software like ProShow, malicious Lua scripts, and the Chrysalis backdoor. Finally, we show you how to simulate these attacks to verify if your security controls can stop them.
June 2025: The incident began when threat actors compromised the update infrastructure at the hosting provider level. This access allowed them to intercept and redirect traffic destined for notepad-plus-plus.org [2].
September 2, 2025: The compromised shared hosting server underwent scheduled maintenance for kernel and firmware updates. Following this date, the attackers lost direct access to the server, as indicated by server logs [2].
September 2, 2025 – December 2, 2025: Although direct server access was lost, the attackers retained valid credentials for internal services. This allowed them to continue redirecting traffic from https://notepad-plus-plus.org/getDownloadUrl.php to malicious servers to distribute compromised updates [2].
December 2, 2025: The hosting provider completed all remediation and security hardening, including rotating all credentials. This marked the definitive end of the attacker's access to the infrastructure [2].
December 9, 2025: Notepad++ released version 8.8.9, which introduced security hardening to the updater (WinGUp) to verify the signature and certificate of downloaded installers [3].
Users who attempted to update Notepad++ software downloaded a malicious executable named update.exe instead of the legitimate files.
Detailed forensic analysis identified three primary execution chains used to deliver payloads [1].
In the initial phase, a malicious NSIS installer (update.exe) was distributed from http://45.76.155[.]202/update/update.exe. Upon execution, this installer gathered system information and exfiltrated it to a temporary hosting service (temp[.]sh) using curl commands, and then embedded the file URL within the User-Agent header to allow the attacker to download the file [1].
|
# Gathering system information # Uploading the exfiltrated info to temp[.]sh using curl # Informing the attacker about the path of the uploaded file using the User-Agent header |
Then, the installer dropped several files into %appdata%\ProShow, including a legitimate executable ProShow.exe and a malicious file named load. The attackers abused a known vulnerability in ProShow.exe to execute the payload contained in load.
The exploit contained shellcode at the beginning and middle of the payload. The shellcode at the beginning consisted of random bytes, and this seemed to be done mostly to mislead researchers or automated analysis. The shellcode in the middle was what actually launched. This shellcode decrypted a Metasploit downloader that gets another shellcode for the Cobalt Strike Beacon, which allows the attacker to communicate with the C2 server and control the target computer remotely.
This time's attack was very similar to the previous infection chain in the following parts: NSIS installer, information gathering, uploading the exfiltrated information as a file, and then informing the attacker about the file path.
But after these parts, the process was different. This time, the files were dropped into the %APPDATA%\Adobe\Scripts directory, and the files dropped were different. The attacker was now using a compiled Lua script (alien.ini) [1]. This file’s content is explained below:
|
scc = "<The shellcode used by the attacker>" # Loads the Alien FFI, a library that allows calling native code using Lua, and obtains handles to the system DLLs (Kernel32 and User32). Note that the attacker used concatenated strings to evade detection. |
The actions of getting Cobalt Strike Beacon using Metasploit downloader, as a result of shellcode execution, are similar to the case above.
Similar to the two infection chains above, various files were dropped in this chain via an NSIS installer. However, this time, both the dropped files and the folder they were dropped into (%appdata%\Bluetooth\) changed.
Three different files were dropped. These were BluetoothService.exe, log.dll, BluetoothService. BluetoothService.exe (renamed Bitdefender Submission Wizard) was a legitimate executable, but log.dll was a malicious DLL that would be side-loaded by BluetoothService.exe. The BluetoothService file, without an extension, was an encrypted shell code [4].
The log.dll file included two exported functions called by the legitimate executable: LogInit and LogWrite. LogInıt loads the encrypted shell code into the memory, and LogWrite decrypts it and executes. The decrypted payload was named “Chrysalis” backdoor [4].
After the Chrysalis backdoor is executed, it decrypts its main module with the XOR key ("gQ2JR&9;") in its structure and some arithmetic operations.
It also decrypts its configuration with an RC4 key, which is "qwhvb^435h&*7". This configuration includes the C2 server address, https://api.skycloudcenter[.]com/a/chat/s/70521ddf-a2ef-4adf9cf0-6d8e24aaa821. The attacker created a URL similar to the DeepSeek API paths, making it appear as if it were generating non-malicious traffic.
Chrysalis backdoor achieves persistence by changing registry keys or installing new services.
Then system information such as OS version, installed antivirus software, user name, and computer name is collected and then encrypted with RC4 using the key "vAuig34%^325hGV". The result is sent to the C2 server, which is found in the configuration.
When the C2 server responds, the malware parses a specific tag to decide what action to take. A switch statement handles various commands [4]:
We also strongly suggest simulating Notepad++ supply chain attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against other vulnerability exploitation attacks, such as regreSSHion, Citrix Bleed, and Follina, within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for the Notepad++ supply chain attacks:
|
Threat ID |
Threat Name |
Attack Module |
|---|---|---|
|
45860 |
Chrysalis Loader Download Threat |
Network Infiltration |
|
46302 |
Chrysalis Loader Email Threat |
E-mail Infiltration |
|
43925 |
Lotus Blossom Threat Group Campaign Malware Download Threat |
Network Infiltration |
|
30443 |
Lotus Blossom Threat Group Campaign Malware Email Threat |
E-mail Infiltration |
|
93730 |
Lotus Blossom Threat Group Notepad++ Supply Chain Attack Campaign |
Windows Endpoint |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.
[1] G. Kucherin, “The Notepad++ supply chain attack — unnoticed execution chains and new IoCs,” Kaspersky. Accessed: Feb. 13, 2026. [Online]. Available: https://securelist.com/notepad-supply-chain-attack/118708/
[2] “Notepad++ Hijacked by State-Sponsored Hackers.” Accessed: Feb. 13, 2026. [Online]. Available: https://notepad-plus-plus.org/news/hijacked-incident-info-update/
[3] “Notepad++ v8.8.9 release: Vulnerability-fix.” Accessed: Feb. 13, 2026. [Online]. Available: https://notepad-plus-plus.org/news/v889-released/
[4] I. Feigl, “The Chrysalis Backdoor: A Deep Dive into Lotus Blossom’s toolkit,” Rapid7. Accessed: Feb. 13, 2026. [Online]. Available: https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/