Between June and December 2025, the software update infrastructure supporting Notepad++ was covertly compromised and abused as a delivery mechanism for state-aligned cyber-espionage malware. The operation did not involve source code tampering or repository compromise. Instead, threat actors achieved control over elements of the update delivery chain, selectively redirecting update traffic to attacker-controlled servers and delivering malicious payloads to carefully chosen victims.
The attack represents a mature evolution in software supply-chain compromise strategy: minimal footprint, infrastructure-level manipulation, selective targeting, and stealthy post-exploitation implants. Attribution analysis links the activity with a China-aligned advanced persistent threat (APT) cluster commonly referred to as Lotus Blossom, also tracked under multiple aliases by different security vendors.
1. Scope and Temporal Characteristics of the Intrusion
1.1 Attack Window
Forensic analysis and hosting provider telemetry establish that unauthorized access to the Notepad++ update infrastructure began in June 2025 and persisted until December 2, 2025. The compromise unfolded in two distinct phases:
- Direct Infrastructure Access Phase (June–September 2025)
Attackers maintained active access to the hosting environment supporting the update resolution service. - Credential-Persistence Phase (September–December 2025)
After partial containment efforts, attackers retained access using previously harvested credentials, enabling continued manipulation of update traffic without persistent interactive access.
This extended dwell time—approximately six months—strongly suggests deliberate intelligence collection rather than opportunistic monetization.
2. Initial Access Vector: Hosting Infrastructure Compromise
2.1 What Was Compromised—and What Was Not
Critically, the following components were not compromised:
- Notepad++ source code
- GitHub repositories
- Build systems
- Official release signing keys
Instead, attackers compromised the hosting environment responsible for servicing update resolution requests generated by the Notepad++ auto-update mechanism.
2.2 Abuse of Update Resolution Logic
The Notepad++ updater relies on a server-side endpoint that dynamically returns download locations for update binaries. Attackers gained the ability to manipulate responses from this endpoint—specifically the script responsible for resolving update URLs.
Rather than modifying binaries hosted on legitimate servers, the attackers altered where clients were told to download updates from.
This design choice enabled:
- No visible tampering of legitimate binaries
- No alteration of cryptographic signatures at rest
- Minimal forensic artifacts on official infrastructure
3. Selective Traffic Redirection and Victim Targeting
3.1 Targeted, Not Mass Exploitation
The malicious redirection was not globally applied. Instead, redirection logic was conditionally triggered based on request attributes, enabling:
- Geographic filtering
- IP-based targeting
- Organizational profiling
As a result, only a small subset of Notepad++ users received malicious updates, while the majority continued to receive legitimate software—significantly reducing detection probability.
3.2 Observed Victim Profile
Documented targets included:
- Government agencies
- Telecommunications providers
- Financial institutions
- IT service organizations
Affected regions spanned multiple countries in East and Southeast Asia, as well as selected targets in Australia and parts of Central America.
The targeting pattern aligns with long-standing strategic intelligence priorities rather than criminal activity.
4. Malicious Update Payload Architecture
4.1 Initial Dropper: update.exe
Victims selected for exploitation received a file masquerading as a legitimate Notepad++ update executable, commonly named update.exe.
This binary functioned as a loader, not the final payload.
4.2 Installation Framework
The installer was constructed using NSIS (Nullsoft Scriptable Install System), a legitimate and widely trusted installer framework. This choice allowed:
- Execution in user-trusted context
- Reduced heuristic detection
- Seamless masquerading as normal update behavior
5. DLL Side-Loading Execution Chain
5.1 Abuse of Legitimate Executables
The installer dropped a renamed, legitimate Windows executable—commonly referenced as BluetoothService.exe—into a controlled directory.
This executable was intentionally chosen because:
- It searches for dependent DLLs in its execution directory
- It is digitally signed and trusted by the operating system
5.2 Malicious DLL Injection
Alongside the executable, the installer dropped a malicious DLL (commonly named log.dll). When the legitimate executable launched, Windows’ DLL search order caused the malicious DLL to be loaded and executed.
This technique provided:
- Execution under a trusted binary context
- Bypass of simplistic application allowlisting
- Reduced visibility in endpoint telemetry
6. The “Chrysalis” Backdoor Implant
6.1 Shellcode Deployment
The malicious DLL did not directly implement full command-and-control logic. Instead, it decrypted and injected shellcode into memory, deploying a modular backdoor commonly referred to as Chrysalis by researchers.
6.2 Core Capabilities
The Chrysalis implant supported a full post-exploitation lifecycle, including:
- Encrypted command-and-control (C2) communications
- Remote command execution
- File upload and exfiltration
- Process creation and manipulation
- Interactive shell access
- Self-removal and cleanup routines
The implant emphasized stealth and longevity over destructive or noisy behavior.
7. Multi-Variant Infection Chains
Researchers identified multiple infection chain variants operating concurrently:
- Different malicious installer builds
- Rotating download infrastructure
- Variations in shellcode loader logic
- Optional secondary payload delivery
Some variants were observed deploying additional tooling frameworks, including post-exploitation modules commonly associated with commercial red-team and espionage toolkits.
This modularity strongly suggests a mature operational pipeline rather than ad-hoc malware deployment.
8. Attribution Analysis
8.1 Threat Actor Identity
Multiple independent analyses attribute the operation to a China-aligned APT cluster tracked as Lotus Blossom, also known under other vendor-specific names.
8.2 Attribution Indicators
Attribution is based on:
- Overlap in malware architecture
- Shared infrastructure patterns
- Command-and-control tradecraft
- Historical victimology alignment
- Consistency with prior Lotus Blossom operations
While no single indicator is definitive, the combined evidence supports high-confidence attribution.
The Notepad++ update infrastructure compromise stands as a textbook example of next-generation supply-chain exploitation. By manipulating update resolution logic rather than software artifacts, attackers achieved sustained, covert access to high-value targets while leaving minimal forensic evidence.
The incident underscores a critical shift in attacker economics: compromising how software is delivered can be more effective—and far harder to detect—than compromising the software itself.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.
