Sophisticated Supply Chain Attack Targets Notepad++ Users in Espionage Campaign
Researchers have identified a highly advanced supply chain attack targeting users of the popular text editor Notepad++, attributed to Lotus Blossom, a Chinese advanced persistent threat (APT) group active since 2009. The campaign, uncovered through forensic analysis, involved the compromise of Notepad++’s distribution infrastructure to deliver Chrysalis, a previously undocumented custom backdoor with extensive remote access and evasion capabilities.
The attack began with the execution of notepad++.exe and GUP.exe (Notepad++’s updater) from the IP address 95.179.213.0, which downloaded a malicious update.exe an NSIS installer. This installer deployed a renamed Bitdefender Submission Wizard executable to the hidden %AppData%\Bluetooth directory, leveraging DLL sideloading to execute a malicious log.dll. The DLL decrypted the Chrysalis backdoor using a combination of linear congruential generators, FNV-1a hashing, and MurmurHash finalization, along with custom cryptographic algorithms.
Chrysalis is a feature-rich implant with 15 distinct command capabilities, including:
- Interactive reverse shells (command 4T)
- Remote process execution (4V)
- File operations (4Y, 4W, 4X)
- File transfer protocols (4c, 4d)
- Self-removal (4)
- Drive enumeration (4_)
The backdoor communicates with a command-and-control (C2) server at https://api.skycloudcenter.com/a/chat/s/70521ddf-a2ef-4adf-9cf0-6d8e24aaa821, designed to mimic Deepseek API traffic to evade detection. The domain resolves to a Malaysian IP (61.4.102.97), with communications using a standard browser user agent. Persistence is achieved via a Windows service or registry modifications, while a mutex (Global\Jdhfv_1.0.1) prevents multiple instances.
Further analysis revealed the use of ConsoleApplication2.exe, a loader exploiting Microsoft’s undocumented Warbird code protection framework. The loader invokes NtQuerySystemInformation with the SystemCodeFlowTransition parameter (0xB9) to execute Metasploit shellcode within a Microsoft-signed binary, enabling the download of Cobalt Strike beacons from api.wiresguard.com/users/system. Additional payloads were delivered via http-get (api.wiresguard.com/update/v1) and http-post (api.wiresguard.com/api/FileUpload/submit) endpoints.
Forensic evidence also uncovered a renamed Tiny-C-Compiler executing malicious C source code from conf.c, which employed rolling XOR decryption before transferring execution to Cobalt Strike. Four additional loader variants were identified, sharing identical Cobalt Strike configurations and a common public key, indicating a coordinated campaign.
Attribution to Lotus Blossom is supported by tactical overlaps, including the Bitdefender Submission Wizard DLL sideloading technique and shared infrastructure indicators. The campaign demonstrates a significant evolution in tradecraft, blending custom malware with commodity frameworks and rapidly operationalizing public security research. Key indicators of compromise include hidden executables in %AppData%, NtQuerySystemInformation abuse, and suspicious Deepseek-style API traffic.
Source: https://cyberpress.org/notepad-supply-chain-hack-exposed/
Notepad++ cybersecurity rating report: https://www.rankiteo.com/company/notepad-plus-plus
"id": "NOT1770169941",
"linkid": "notepad-plus-plus",
"type": "Cyber Attack",
"date": "2/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Notepad++ users globally',
'industry': 'Technology/Software Development',
'name': 'Notepad++',
'type': 'Software Vendor'}],
'attack_vector': ['Compromised distribution infrastructure',
'DLL sideloading',
'Malicious updater (GUP.exe)',
'Warbird code protection framework exploitation'],
'data_breach': {'data_exfiltration': 'Possible (Chrysalis backdoor supports '
'file transfer)',
'personally_identifiable_information': 'Possible (if '
'targeted)',
'sensitivity_of_data': 'High (if PII or proprietary data was '
'accessed)',
'type_of_data_compromised': ['Potentially sensitive files',
'System information',
'User data']},
'description': 'Researchers identified a highly advanced supply chain attack '
'targeting users of the popular text editor Notepad++, '
'attributed to Lotus Blossom, a Chinese advanced persistent '
'threat (APT) group. The campaign involved the compromise of '
'Notepad++’s distribution infrastructure to deliver Chrysalis, '
'a custom backdoor with extensive remote access and evasion '
'capabilities.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to '
'Notepad++ due to compromised '
'distribution',
'data_compromised': 'Potential data exfiltration (Chrysalis '
'backdoor capabilities)',
'identity_theft_risk': 'High (if PII was exfiltrated)',
'operational_impact': 'Remote access and control of affected '
'systems',
'systems_affected': ["Notepad++ users' systems",
'Compromised distribution servers']},
'initial_access_broker': {'backdoors_established': ['Chrysalis backdoor',
'Cobalt Strike beacons'],
'entry_point': 'Compromised Notepad++ distribution '
'infrastructure'},
'investigation_status': 'Ongoing',
'motivation': 'Espionage',
'post_incident_analysis': {'corrective_actions': ['Secure distribution '
'channels for software '
'updates',
'Implement code signing and '
'integrity checks for '
'updaters',
'Monitor for abuse of '
'undocumented Windows APIs',
'Enhance detection for '
'custom malware like '
'Chrysalis'],
'root_causes': ['Compromise of Notepad++ '
'distribution infrastructure',
'Exploitation of DLL sideloading '
'and undocumented Windows features '
'(Warbird framework)',
'Use of custom cryptographic '
'algorithms to evade detection']},
'recommendations': ['Monitor for suspicious activity related to Notepad++ '
'updates',
'Check for hidden executables in %AppData%\\Bluetooth',
'Inspect NtQuerySystemInformation calls for '
'SystemCodeFlowTransition parameter abuse',
'Block or monitor traffic to api.skycloudcenter.com and '
'api.wiresguard.com',
'Update detection rules for DLL sideloading and Warbird '
'framework exploitation'],
'references': [{'source': 'Cybersecurity Research Report'}],
'threat_actor': 'Lotus Blossom (Chinese APT group)',
'title': 'Sophisticated Supply Chain Attack Targets Notepad++ Users in '
'Espionage Campaign',
'type': 'Supply Chain Attack',
'vulnerability_exploited': ['DLL sideloading',
'NtQuerySystemInformation abuse '
'(SystemCodeFlowTransition parameter)',
'Undocumented Warbird framework']}