The Notepad++ supply chain attack: When a benign tool becomes a weapon for Chinese state espionage

Date 10/03/2026

One of the software supply chain attacks discovered at the end of 2025 has further reinforced a troubling reality of modern cybersecurity: even the most benign applications can become entry points for nation-state actors. In December 2025, Rapid7 Labs discovered and publicly disclosed an attack campaign believed to be carried out by the APT group Lotus Blossom (Billbug) – a Chinese state-sponsored espionage group. The attackers exploited vulnerabilities in Notepad++’s hosting infrastructure to distribute a new backdoor called Chrysalis to carefully selected targets.

Lotus Blossom profile: Asia’s persistent cyber spy

Lotus Blossom, also known by several other names such as Billbug (Symantec), Spring Dragon (Kaspersky), Thrip, Lotus Panda, and Bronze Elgin, is a Chinese APT group with a history of attacks spanning more than a decade. The group was first publicly identified in 2015 by Palo Alto Networks when it released a report on “Operation Lotus Blossom”, linking the group to more than 50 attacks over the preceding three years. Since then, Lotus Blossom has become one of Asia’s most persistent cyber-espionage actors.

The group primarily operates in Southeast Asia, including Vietnam, the Philippines, Thailand, Cambodia, Malaysia, Indonesia, Hong Kong, and Taiwan. Its targets typically include government agencies, military organizations, telecommunications companies, aviation and transportation sectors, media organizations, and critical infrastructure – sectors closely tied to China’s strategic interests, particularly regarding the South China Sea. The group’s attack techniques have evolved from early basic phishing campaigns to more sophisticated methods, including exploiting public applications and leveraging legitimate cloud services as C2 (Command & Control) servers.

Timeline of the attack: From initial access to discovery

The Notepad++ attack began in June 2025, when Lotus Blossom, or actors working on their behalf, secretly infiltrated the shared hosting infrastructure used by Notepad++. It is important to note that the attackers did not exploit any vulnerabilities in the Notepad++ source code itself. Instead, they compromised the hosting provider layer, the physical servers that store update files.

Over the six months from June to December 2025, the attackers used the compromised access to intercept and redirect update traffic from selected Notepad++ users. When Windows users ran the Notepad++ application and triggered the WinGUp updater (the automatic update utility), instead of receiving a legitimate update from notepad-plus-plus.org, some users were redirected to attacker-controlled servers to download update.exe, an NSIS (Nullsoft Scriptable Install System) installer containing malicious code.

Although the hosting infrastructure was restored in September 2025 after the provider applied kernel and firmware updates, the attackers maintained access through stolen internal service credentials. As a result, they continued redirecting Notepad++ traffic until December 2, 2025, when the final access was terminated.

Chrysalis backdoor: The core tool of the campaign

The main payload delivered through this access vector was a new backdoor named “Chrysalis” by Rapid7 – an appropriate name given the attackers’ intent to create persistent access channels that could survive long periods of time. Chrysalis is not a temporary tool; rather, it clearly represents a carefully developed, full-featured backdoor.

Chrysalis contains a wide range of powerful command-and-control capabilities, indicating it was designed for long-term use:

Interactive reverse shell: The backdoor can spawn a full cmd.exe shell, allowing attackers to execute any Windows command on the victim machine
File management: Remote reading, writing, deleting, and listing of files, as well as uploading and downloading data
Information gathering: Querying system information, disk lists, antivirus installations, and system time
Process execution: Creating new processes from C2 commands
Self-deletion: A built-in mechanism to remove traces and artifacts

What makes Chrysalis technically notable is its heavy level of obfuscation. The backdoor uses custom API hashing, dynamic string obfuscation, and layered decryption to evade signature-based detection methods. Each decryption layer uses different algorithms – ranging from simple XOR operations to RC4 cryptography.

Attack techniques: A sophisticated blend of DLL sideloading and obfuscation

The attack chain used to deliver Chrysalis to victim systems is highly sophisticated. After a user downloads the redirected update.exe file, the installer behaves like a typical NSIS setup program but executes several hidden steps.

Step 1: DLL sideloading via bitdefender submission wizard

The installer extracts and executes BluetoothService.exe, a renamed version of the Bitdefender Submission Wizard – a legitimate application from the well-known security vendor Bitdefender. This technique is known as DLL sideloading, a method widely used by APT groups to bypass security controls. When BluetoothService.exe runs, it searches for a dynamic link library called log.dll. Instead of loading the legitimate library, Windows loads a malicious log.dll placed in the same directory, thereby executing malicious code within the context of a trusted process.

DLL sideloading works because it exploits the way Windows searches for DLL files. When an application requests a DLL, Windows checks specific locations in order, starting with the application’s directory. By placing a malicious DLL with the same name in that directory, attackers ensure Windows loads the malicious version first. This technique is especially effective for APT groups because it bypasses detection based on file names and because many antivirus tools focus primarily on executable (.exe) files rather than DLLs.

Step 2: Decryption of the intermediate shellcode

The malicious log.dll contains two exported functions: LogInit and LogWrite. LogInit loads an encrypted file called BluetoothService (not an .exe file), while LogWrite implements a custom decryption routine. This mechanism uses a Linear Congruential Generator (LCG) with standard constants (0x19660D and 0x3C6EF35F) combined with simple data transformation steps. Once decrypted, the shellcode is executed.

Step 3: Decrypting the main backdoor and dynamic API hashing

The decrypted shellcode then performs another decryption stage using a hardcoded key (gQ2JR&9;) to generate the primary PE module – the actual Chrysalis backdoor. This module implements dynamic API hashing, allowing it to resolve Windows functions without directly calling GetProcAddress. Instead, the backdoor calculates hash values of API names and compares them with hardcoded values using hashing algorithms such as FNV-1a combined with MurmurHash-style mixing. This approach makes static analysis significantly more difficult.

Loader variants and the use of cobalt strike

Another interesting aspect of the campaign is the integration of open-source tools. Alongside the custom Chrysalis backdoor, Rapid7 identified four different loader variants used to deploy Cobalt Strike beacons – a popular penetration-testing framework commonly repurposed by attackers to maintain access and move within networks.

Cobalt Strike Beacon enables attackers to:

Execute commands on compromised systems
Collect sensitive information
Perform lateral movement across networks
Deploy additional payloads

The combination of a custom Chrysalis backdoor with Metasploit block_api shellcode and Cobalt Strike beacons shows an attack group flexibly exploiting both custom and readily available commodity tools.

One particularly important loader was “ConsoleApplication2.exe,” which Rapid7 discovered uses Microsoft Warbird – a sophisticated code protection framework used by Microsoft to protect its proprietary code. The attackers abused Warbird to hide shellcode execution by calling the undocumented system call NtQuerySystemInformation with the SystemCodeFlowTransition parameter. This suggests the group updated their tactics based on publicly available research, such as the DownWithUp article on Warbird abuse.

C2 infrastructure masquerading as deepseek

Chrysalis communicates with its command-and-control server using a hardcoded URL:

https://api.skycloudcenter.com/a/chat/s/70521ddf-a2ef-4adf-9cf0-6d8e24aaa821

The URL structure /a/chat/s/{GUID} closely resembles the format used by Deepseek AI – a popular Chinese AI chatbot service, for its API endpoints. Rapid7 noted that this “appears to simulate legitimate traffic in order to stay under the radar.” This technique is often described as domain fronting or traffic masquerading, where malicious communications imitate legitimate service traffic to evade monitoring systems.

The IP address resolved from api.skycloudcenter.com was 61.4.102.97, located in Malaysia. At the time Rapid7 published its report, there was no evidence of other files communicating with that IP or URL.

Advanced loader behavior: Warbird implementation

One of Rapid7’s most significant discoveries was the identification of “ConsoleApplication2.exe,” a loader utilizing Warbird – an undocumented Microsoft code protection framework. Warbird was originally designed to protect proprietary Microsoft code, but APT groups have discovered ways to abuse it to conceal shellcode execution.

The loader achieves this by:

Loading the legitimate Windows system DLL clipc.dll
Overwriting the first 0x490 bytes of clipc.dll memory with specially crafted data
Changing the memory protection to PAGE_EXECUTE_READ
Calling NtQuerySystemInformation with the parameter SystemCodeFlowTransition (Warbird WbHeapExecuteCall)

This technique allows shellcode to execute within the context of a legitimate Windows process, helping evade behavioral monitoring tools.

Targets and victims

Unlike other large-scale supply chain attacks (such as the SolarWinds SUNBURST attack in 2020), the Notepad++ incident was highly targeted. Only a small number of users were redirected to malicious servers. Rapid7 did not disclose the exact number of victims, but reports indicate that the affected population was “small.”

Forensic evidence suggests that primary targets included government agencies, telecommunications companies, aviation and transportation sectors, critical infrastructure organizations, and media outlets, mainly in Southeast Asia and Central America. This targeting pattern aligns closely with Lotus Blossom’s historical operations focused on high-value strategic organizations.

Response and mitigation

Notepad++ responded quickly to address the issue.

Release v8.8.9 (December 2025)

Notepad++ released version 8.8.9, a vulnerability-fix update containing several key security improvements:

Implementation of signature and certificate verification for downloaded update files
If verification fails, the update process is automatically canceled
Since version v8.8.7, Notepad++ binaries (including installers) have been digitally signed using a GlobalSign certificate

Hosting migration

Don Ho, the developer of Notepad++, stated that the official website had been moved to a new hosting provider with significantly stronger security policies to prevent similar incidents in the future.

However, Rapid7 warned that users who previously installed the Notepad++ root certificate since version v8.8.7 should remove it, as it is no longer necessary.

The broader rise of supply chain attacks

The Notepad++ incident is not an isolated case. According to data from Cyble, software supply chain attacks have doubled since April 2025, averaging 26 attacks per month compared to 13 attacks per month between early 2024 and March 2025. October 2025 recorded the highest number of incidents, with 41 attacks reported – a 30% increase compared to the previous peak in April.

Industries most heavily impacted include:

Energy and utilities
Healthcare
Manufacturing
Technology
Financial services

These attacks involve not only supply chain compromises but also zero-day exploits, ransomware operations, and intellectual property theft.

Why Notepad++?

A natural question arises: why target Notepad++?

The answer lies in its popularity and trust level. Notepad++ is a widely used open-source code editor relied upon by developers, system administrators, and cybersecurity professionals around the world. Anything downloaded through its official updater is generally assumed to be trustworthy. This makes the Notepad++ infrastructure an attractive target for APT groups:

High trust: Users trust updates from Notepad++
Diverse user base: Widely used by IT professionals, developers, and security specialists
Low suspicion: Users installing an “update” are unlikely to question its legitimacy
Strategic impact: If attackers know that employees in a specific government agency widely use Notepad++, they can potentially infiltrate the entire organization through a single compromised update

Attack techniques (TTPs)

Rapid7 identified multiple MITRE ATT&CK techniques used by Lotus Blossom in this campaign:

T1204.002 – User Execution: Malicious File
T1036 – Masquerading
T1027 – Obfuscated Files or Information
T1027.007 – Dynamic API Resolution
T1140 – Deobfuscate/Decode Files or Information
T1574.002 – DLL Side-Loading
T1055 – Process Injection
T1620 – Reflective Code Loading
T1059.003 – Command and Scripting Interpreter: Windows Command Shell
T1083 – File and Directory Discovery
T1105 – Ingress Tool Transfer
T1041 – Exfiltration Over C2 Channel
T1573 – Encrypted Channel
T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys (persistence)

Conclusion: A new stage in APT campaigns

The Notepad++ attack documented by Rapid7 is more than a typical software supply chain compromise. It represents an evolution in the tactics of Lotus Blossom. While the group has long been known to rely on proven techniques such as DLL sideloading and service-based persistence, the use of a custom multi-layered backdoor, advanced shellcode loaders, and the integration of public offensive tools indicates active adaptation to increasingly sophisticated defensive environments.

Rapid7 concluded: “The discovery of the Chrysalis backdoor and the Warbird loader highlights the evolution of Billbug’s capabilities. While the group continues to rely on proven techniques such as DLL sideloading and service persistence, their multi-layered shellcode loaders and use of undocumented system calls demonstrate a clear shift toward stealthier and more cautious tactics.”

Notably, more than a year passed between the start of the attack (June 2025) and its public disclosure (February 2026). During that time, the campaign remained hidden and was only uncovered through proactive threat hunting by security researchers. This demonstrates the sophistication of the malware and its ability to evade detection systems.

For cybersecurity professionals, system administrators, and government organizations, particularly in Southeast Asia, the Notepad++ incident serves as a critical warning. Even seemingly harmless software can be exploited to distribute malware if hosting infrastructure is not properly secured. It highlights the importance of verifying software updates, continuously monitoring supply chain risks, implementing behavior-based detection for anomalies such as DLL sideloading and unusual C2 communication, and maintaining updated indicators of compromise (IoCs) and rapid response strategies.

The Lotus Blossom Notepad++ campaign ultimately demonstrates that Chinese state-linked threat actors are operating at an increasingly advanced tactical level, and continued vigilance is essential.

References

Exclusive article by an expert from FPT IS, FPT Corporation

Dinh Van Manh – FPT Information Security Center

FPT IS