Recent investigations by Rapid7 have revealed a significant supply chain attack against the Notepad++ update infrastructure, attributed to the Chinese‑speaking Lotus Blossom APT group. The operation delivered a previously undocumented backdoor dubbed Chrysalis and turned a trusted text editor into a covert entry point for cyber‑espionage, running silently for much longer than initially assumed.
Notepad++ supply chain attack: compromised software updates
According to Notepad++ developer Don Ho, an internal review showed that the attack likely started in June 2025 and continued for roughly six months. Rather than modifying Notepad++ source code, the attackers compromised the hosting provider’s infrastructure and hijacked update traffic, transparently redirecting requests from selected users to attacker‑controlled servers.
This is a textbook supply chain attack: the compromise targeted the distribution and update channel instead of the application itself. Rapid7 telemetry showed a characteristic process chain: notepad++.exe launched the legitimate updater GUP.exe, which then spawned a suspicious update.exe. No artifacts suggested direct exploitation of the Notepad++ plugin system, reinforcing the conclusion that update traffic was intercepted and replaced upstream.
Multi‑stage infection chains and global espionage targets
Analysis indicates that the late‑2025 Notepad++ incident represented only the final phase of a broader, long‑running campaign. Researchers identified at least two additional infection chains active between July and September 2025, which operated independently from the later compromise.
The attackers rotated their infrastructure aggressively: domains, IP addresses, and malware hashes changed monthly. Such high operational tempo makes traditional detection based purely on Indicators of Compromise (IoCs) unreliable, as stale IoCs quickly lose relevance while infections may persist undetected.
Victims included IT service providers, government agencies, and financial institutions across Australia, Latin America, and Southeast Asia. This target profile is consistent with cyber‑espionage tradecraft: by compromising IT suppliers and ubiquitous tools like Notepad++, attackers can pivot into high‑value networks via trusted software and update channels, minimizing noise and security alerts.
Chrysalis backdoor: capabilities, delivery, and stealth techniques
The centerpiece of the operation is the Chrysalis backdoor, which was dropped onto already compromised hosts. Once executed, Chrysalis connected to the command‑and‑control (C2) server api.skycloudcenter[.]com (now offline) and provided a full set of remote‑access features.
Capabilities included an interactive shell, process creation and termination, extensive file system operations, data exfiltration and download of additional payloads, and a self‑destruct mechanism to remove traces on demand. In operational terms, Chrysalis functioned as a flexible post‑exploitation toolkit and long‑term foothold.
For delivery, the attackers used a trojanized Nullsoft Scriptable Install System (NSIS) installer. Inside it, a binary named BluetoothService.exe was in fact a renamed, legitimate Bitdefender Submission Wizard. This file was abused for DLL sideloading—a technique where a trusted executable loads a malicious DLL placed alongside it, inheriting the executable’s trust.
The NSIS package also contained an encrypted file BluetoothService with embedded shellcode and a specially crafted malicious DLL. When the legitimate Bitdefender executable ran, it automatically loaded the attacker’s DLL, which decrypted and executed the Chrysalis shellcode. This layered approach made the malware appear to be normal security software behavior.
To evade detection, the malware employed custom API hashing in both the loader and the main backdoor, multiple obfuscation layers, and generic, noisy file names. Such techniques complicate static analysis and undermine simple signature‑based detection, aligning with trends observed in modern APT operations reported by vendors such as Mandiant.
Abuse of Microsoft Warbird and rapid reuse of security research
One of the most notable aspects of this campaign is the abuse of Microsoft Warbird, an internal framework that Microsoft uses to protect and obfuscate code in its own products. The attackers adapted a proof‑of‑concept exploit released in September 2024 by the German company Cirosec and used it to execute Chrysalis shellcode under the protection of Warbird‑style mechanisms.
This move effectively wrapped the malicious payload in the same defensive techniques intended for legitimate software, raising the bar for analysis and detection. It also highlights a broader pattern among advanced threat actors: the rapid operationalization of public security research. Once a technique or PoC is disclosed, sophisticated APT groups can quickly integrate it into active campaigns, often outpacing defensive controls.
Attribution to the Lotus Blossom APT group
Rapid7 and other security vendors link this activity to the Lotus Blossom APT group, also known as Lotus Panda, Billbug, Raspberry Typhoon, and Spring Dragon. This group has a long history of targeting government entities, telecommunications, aviation, critical infrastructure, and media organizations, particularly in Southeast Asia and parts of Central America.
Attribution is primarily based on overlapping tactics, techniques, and tooling. Symantec and others have previously documented Lotus Blossom using a renamed Bitdefender Submission Wizard for DLL sideloading (with a file named log.dll), along with similar execution chains and matching public keys in Cobalt Strike beacons delivered by distinct loaders. The current campaign shows the same development patterns and significant code reuse, strengthening the case for attribution.
Security implications and defensive measures for organizations
Experts stress that relying solely on known IoCs is insufficient for identifying all affected systems. During the July–September 2025 phases, the attackers used entirely different domains, IP addresses, and file hashes, suggesting that undetected infections may still exist. Frequent rotation of infrastructure and tooling further implies that additional, as yet undiscovered, infection chains may be in play.
Organizations should therefore complement IoC‑based scanning with behavioral and anomaly‑based detection. Priority areas include monitoring for unusual update traffic, verifying the integrity and provenance of installers, and deploying robust EDR/XDR solutions capable of spotting suspicious process chains, DLL sideloading patterns, and outbound C2 communications. Regular threat hunting focused on software update mechanisms and admin tools is increasingly critical.
From a strategic standpoint, security teams should model supply chain attack scenarios, maintain an accurate inventory of all external software suppliers, and apply Zero Trust principles to update components. This includes strict network segmentation for update servers, least‑privilege access for update processes, strong code‑signing validation, and detailed logging and review of all update‑related activity.
The Notepad++ incident underscores how even highly trusted developer and administration tools can become stealthy intrusion vectors. To reduce exposure to similar APT campaigns, organizations should closely follow public reports from vendors such as Rapid7 and Kaspersky, promptly integrate new IoCs and adversary TTPs into their detection logic, and regularly audit the resilience of their own software update pipelines.
