In late January 2026, security researchers at Rapid7 and Kaspersky independently published findings that sent a chill through the developer community: Notepad++, one of the most widely used text editors on Windows with over 100 million downloads, had its official update mechanism hijacked by a Chinese state-sponsored group for roughly six months.
The attack, now tracked as CVE-2025-15556 (CVSS 7.7 High), wasn't a vulnerability in Notepad++ itself. It was a compromise of the hosting infrastructure that allowed attackers to selectively intercept update traffic and deliver a sophisticated backdoor to hand-picked targets.
What Happened
The timeline tells a story of patient, methodical espionage:
- June 2025: Attackers compromise Notepad++'s shared hosting provider, gaining the ability to intercept and redirect update traffic for notepad-plus-plus.org.
- July–October 2025: Active payload delivery begins. Attackers constantly rotate C2 server addresses, downloaders, and final payloads to evade detection.
- September 2, 2025: The hosting provider identifies and terminates the server-level compromise.
- September–December 2025: Despite losing server access, the attackers retain credentials to internal hosting services and continue redirecting update traffic.
- December 2, 2025: All attacker access is definitively terminated.
- January 2026: Rapid7 and Kaspersky publish independent analyses.
The attack was highly selective. Most users received legitimate updates as normal. Only traffic from specific targets — individuals and organizations in Vietnam, the Philippines, El Salvador, and Australia — was redirected to attacker-controlled servers.
The Attack Chain
The technical execution was textbook advanced persistent threat (APT) tradecraft:
1. Infrastructure Compromise
Rather than attacking Notepad++'s source code or build pipeline, the attackers went after the hosting provider. This gave them a man-in-the-middle position on update traffic without modifying a single line of Notepad++ code. The root cause was that older versions of WinGUp (Notepad++'s custom updater) did not perform cryptographic validation of the update manifest XML or the downloaded installer.
2. Trojanized NSIS Installer
When a targeted user checked for updates, their traffic was redirected to a malicious server that served a poisoned NSIS installer — a packaging format commonly used by Chinese APT groups for initial payload delivery.
The installer contained three components:
- BluetoothService.exe — a renamed, legitimate Bitdefender Submission Wizard binary
- log.dll — a malicious DLL designed to be sideloaded by the Bitdefender binary
- BluetoothService — an encrypted shellcode blob
3. DLL Sideloading
When the installer executed, it dropped these files and launched BluetoothService.exe. The legitimate Bitdefender binary then loaded log.dll from its working directory (a classic DLL sideloading technique), which decrypted and executed the shellcode.
4. The Chrysalis Backdoor
The final payload was a custom backdoor that Rapid7 dubbed Chrysalis — a feature-rich, purpose-built implant with capabilities including:
- Interactive shell spawning
- Arbitrary process creation
- File upload and download
- File system operations
- Self-uninstallation
What makes Chrysalis notable is its evasion sophistication. The malware uses Microsoft's proprietary Warbird code protection framework — an undocumented obfuscation system — along with custom API hashing, undocumented system calls (NtQuerySystemInformation), and layered shellcode encryption. This isn't a commodity tool. It's purpose-built for long-term espionage.
In some cases, researchers also observed Cobalt Strike and Metasploit payloads being delivered alongside Chrysalis.
Who Did This
Multiple independent research teams — Rapid7, Kaspersky GReAT, and others — attributed the attack to Lotus Blossom (also tracked as Billbug, Lotus Panda, Raspberry Typhoon, and Thrip). Lotus Blossom is a Chinese state-sponsored espionage group that has been active since at least 2012, primarily targeting government, military, defense, and telecommunications organizations in Southeast Asia.
The targeting profile of this campaign is consistent with their historical operations: government organizations in the Philippines, telecom and IT service providers in Vietnam, and financial organizations in South America.
Why This Attack Matters
Supply chain attacks are not new. SolarWinds (2020), Codecov (2021), 3CX (2023), and XZ Utils (2024) all demonstrated the devastating potential of compromising trusted software distribution channels. But the Notepad++ attack has several characteristics that make it uniquely concerning:
1. Targeting a developer tool. Notepad++ is used daily by millions of developers, system administrators, and IT professionals — people who typically have elevated access to production systems, source code repositories, and internal networks. Compromising their workstations provides a launchpad into far more valuable targets.
2. Infrastructure-level compromise. The attackers didn't need to find a vulnerability in Notepad++ or compromise its maintainer's credentials. They went after the hosting provider — a third party that most software projects treat as a commodity service rather than a critical security dependency.
3. Selective targeting. By only redirecting traffic from specific victims, the attackers dramatically reduced their detection surface. Millions of legitimate updates proceeded normally, making it nearly impossible for the Notepad++ team to notice anomalies in their own telemetry.
4. Six-month dwell time. Even after the hosting provider revoked server access in September, the attackers maintained separate credentials that allowed them to continue the operation for another three months.
What Was Fixed
Notepad++ version 8.8.9 addressed the underlying weakness (CVE-2025-15556) with two critical changes:
- WinGUp now verifies both the certificate and the digital signature of downloaded installers before execution
- The update manifest XML is now cryptographically signed using XMLDSig
- The Notepad++ website has been migrated to a new hosting provider with stronger security controls
What You Should Do
If your organization uses Notepad++, here's a practical checklist:
- Update immediately to version 8.8.9 or later
- Check for IOCs — Both Rapid7 and Kaspersky have published comprehensive indicator lists. A community IOC checking tool is also available on GitHub.
- Search endpoints for NSIS installer activity (
update.exe,install.exe,AutoUpdater.exe) and unexpected shell activity tied to updater processes - Check known staging directories:
%APPDATA%\ProShow\,%APPDATA%\Adobe\Scripts\,%APPDATA%\Bluetooth\ - Look for known C2 domains:
api.skycloudcenter.com,api.wiresguard.com - Audit your own update mechanisms — Does your software verify signatures on downloaded updates? Do you verify the update manifest itself, or just the payload?
The Bigger Picture
The Notepad++ compromise is a reminder that supply chain security extends far beyond your source code and CI/CD pipeline. Your hosting provider, CDN, DNS provider, and certificate authority are all part of your software supply chain — and any of them can become a pivot point for a sophisticated adversary.
For the open-source community in particular, this attack underscores a hard truth: projects maintained by small teams or solo developers often lack the resources for defense-in-depth around their distribution infrastructure. Notepad++ is maintained primarily by a single developer, Don Ho, who responded transparently and effectively — but the attack succeeded because the updater's trust model was too simple for the threat environment it operated in.
As software supply chain attacks continue to evolve from targeting source code (XZ Utils) to targeting infrastructure (Notepad++), defenders need to think beyond code integrity and consider the entire trust chain from build to delivery.
Stay updated on the latest intel by checking our Patches Dashboard.