The world’s most popular text editor, Notepad++, has revealed a sophisticated six-month hijacking of its update infrastructure. Attributed to the Chinese state-sponsored group “Lotus Blossom,” the breach allowed hackers to deliver a custom backdoor called “Chrysalis” to high-value targets. Here is the full technical breakdown and how to secure your systems.
The Six-Month Silent Breach
Between June 2025 and December 2, 2025, the update infrastructure for Notepad++ was compromised at the hosting provider level. This was not a vulnerability in the Notepad++ code itself, but a targeted “infrastructure-level” hijack.
By compromising the shared hosting environment, attackers intercepted update requests from specific users and redirected them to malicious servers. These servers delivered a tampered update containing the Chrysalis backdoor, a feature-rich espionage tool.
While millions of users remained unaffected, the campaign was surgical, focusing on telecommunications, financial services, and government entities in Southeast Asia and Central America.
Timeline of the Hijack
- June 2025: Initial compromise of the shared hosting provider. Attackers gain access to the server supporting
notepad-plus-plus.org. - July – October 2025: Attackers rotate C2 infrastructure and payloads monthly to evade detection.
- September 2, 2025: Hosting provider performs maintenance (kernel/firmware updates). Attackers lose direct server access but retain stolen internal service credentials.
- October 2025: Security researcher Kevin Beaumont identifies suspicious activity originating from Notepad++ processes.
- December 2, 2025: The breach is definitively terminated after the hosting provider rotates all credentials and fixes the underlying vulnerabilities.
- February 2, 2026: Official disclosure by Notepad++ maintainer Don Ho.
The Anatomy of the Attack: How They Did It
Infrastructure Redirection
The attackers didn’t need to hack the Notepad++ software. Instead, they compromised the hosting provider. When a user’s WinGUP updater (the legacy Notepad++ update tool) checked for updates, the request to getDownloadUrl.php was intercepted.
The attackers used IP-based filtering to selectively target specific victims. If a “valuable” IP checked for an update, the server returned a URL pointing to a malicious NSIS installer (update.exe) hosted on attacker-controlled IPs like 95.179.213.0.
Exploiting Legacy Updater Weaknesses
Older versions of Notepad++ (prior to v8.8.9) utilized a WinGUP updater that lacked robust certificate and signature verification. The updater essentially “trusted” the URL provided by the server, allowing the execution of unsigned or mis-signed malicious binaries.
The Chrysalis Backdoor & Payload Delivery
The primary payload, dubbed Chrysalis, is a sophisticated, custom-built implant.
- The Loader: The malicious
update.exe(an NSIS installer) drops a renamed version of a legitimate Bitdefender binary (BluetoothService.exe) into%AppData%. - DLL Sideloading: The renamed binary is used to sideload a malicious DLL (
log.dll), which then decrypts and executes the Chrysalis shellcode. - Evasion Techniques: Chrysalis uses custom API hashing (FNV-1a and MurmurHash) and layered obfuscation. It even abuses Microsoft’s Warbird (an internal code-protection framework) to execute shellcode within legitimate-signed memory space.
- C2 Mimicry: The malware’s communication often mimics legitimate traffic. One variant used a C2 URL (
api.skycloudcenter.com) designed to look like a DeepSeek API endpoint to blend into corporate network logs.
Technical Indicators (IoCs) to Watch For
If you suspect a system was compromised during the June–December window, hunt for these indicators:
| Type | Value/Detail |
|---|---|
| Malicious IP | 95.179.213.0, 45.76.155.202, 51.91.79.17 |
| C2 Domains | api.skycloudcenter.com, api.wiresguard.com, temp.sh |
| Persistence | Hidden %AppData%\Bluetooth or %AppData%\Adobe\Scripts directories |
| Files | update.exe in %TEMP%, log.dll, BluetoothService.exe |
| Behavior | gup.exe spawning reconnaissance commands: whoami, tasklist, netstat -ano |
Who is Lotus Blossom?
Mapy have attributed this campaign to Lotus Blossom (also known as Billbug, Bronze Elgin, or Thrip). This state-sponsored actor has been active since at least 2009. Historically, they focus on long-term espionage against:
- Government organizations (specifically in the Philippines and Vietnam).
- Telecommunications providers.
- Financial institutions in Central America (El Salvador).
The surgical nature of the Notepad++ hijack—redirecting only specific IP ranges—is a hallmark of Lotus Blossom’s high-stealth tradecraft.
How to Secure Your Notepad++ Installation
Notepad++ has officially migrated to a new, high-security hosting provider. However, the onus is on users to ensure they are no longer running the compromised update path.
- Manual Update Required: Do not rely on the auto-updater if you are on a version older than v8.8.9. Download v8.9.1 (or the latest version) manually from the official Notepad++ website.
- Verify Digital Signatures: Ensure the installer you download is digitally signed by “Notepad++”.
- Credential Rotation: If you are a developer or admin who used Notepad++ to manage SSH keys, FTP credentials, or MySQL databases during the breach period, change those passwords immediately.
- Endpoint Scanning: Use the IoCs provided above to scan for the Chrysalis backdoor. Traditional AV may miss it due to the DLL sideloading and Warbird obfuscation techniques.
Frequently Asked Questions (FAQ)
Q: Was the Notepad++ source code hacked?
A: No. The source code on GitHub remained secure. The attackers compromised the server that tells the app where to download updates.
Q: Am I at risk if I just use Notepad++ for notes?
A: Unless you are part of a targeted organization (Telecom, Gov, Finance) in the Southeast Asia or Central America regions, the risk is low. However, everyone should update to the latest version to close the security gap.
Q: Why did it take six months to find?
A: The attackers were incredibly selective. By only serving malware to a few dozen machines out of millions, they avoided triggering the broad telemetry of security firms for months.
The Verdict
The Notepad++ incident is a chilling reminder of the fragility of the software supply chain. Even a “simple” text editor can be weaponized into a high-level espionage tool when its distribution infrastructure is seized.
Recommendation: Update to Notepad++ v8.9.1+ manually today.
