Back to threat alerts

Notepad++ Supply Chain Compromise (Chrysalis Backdoor)

A coordinated investigation has revealed that the official update infrastructure for Notepad++ was compromised by the state-linked threat actor Lotus Blossom. Between June and December 2025, attackers hijacked the application's update mechanism to deliver a previously undocumented backdoor, identified as Chrysalis, to selected targets. The compromise involved the breach of a hosting provider to redirect update traffic, rather than the alteration of the Notepad++ source code itself.

Threat alert
February 3, 2026

The attack successfully exploited the trust associated with the Notepad++ automatic update process (GUP.exe). By compromising the shared hosting infrastructure used by the project, the attackers were able to intercept and selectively redirect update requests from specific users—primarily within the telecommunications, finance, and government sectors in East Asia—to attacker-controlled servers.

The Infection Chain:

  1. Redirection: Legitimate notepad++.exe initiates GUP.exe to check for updates.
  1. Malicious Download: Instead of the legitimate package, GUP.exe receives a redirected response pointing to a malicious NSIS installer (update.exe) hosted on a rogue server.
  1. Sideloading Execution: The malicious installer drops a renamed legitimate executable, BluetoothService.exe (originally Bitdefender Submission Wizard), and a malicious DLL named log.dll.
  1. Payload Deployment: When executed, BluetoothService.exe sideloads log.dll, which decrypts and executes the Chrysalis shellcode.

Chrysalis Backdoor Capabilities: Chrysalis is a bespoke, modular implant designed for long-term espionage. Its features include:

  • Full remote command execution and interactive shell access.
  • File system manipulation (upload/download).
  • Process execution and termination.
  • Communication with Command and Control (C2) servers.
  • Deployment of secondary payloads, often utilising the 'Microsoft Warbird' obfuscation framework.
Vulnerable Versions:

The compromise affects users who utilised the built-in auto-update feature during the active window of the attack.

  • Affected Components: Notepad++ Auto-Updater (GUP.exe) in versions prior to 8.8.9.
  • Note: Users who downloaded the full installer manually from the official website during this period may not be affected, as the attack specifically targeted the update verification mechanism.
Mitigations:

Organisations are advised to implement the following controls immediately:

  • Network Blocking: Block traffic to known C2 domains and malicious IPs associated with the campaign.
  • Endpoint Detection: Configure EDR solutions to flag instances of BluetoothService.exe running from non-standard directories or spawning unexpected child processes.
  • Signature Enforcement: Ensure that software execution policies require valid digital signatures for all executables.  
Recommendations:

Security teams should prioritise the following actions to remediate the threat and ensure environment integrity:

  1. Update Immediately: Ensure all instances of Notepad++ are upgraded to version 8.9.1 or later.
  1. Hunt for Indicators of Compromise (IOCs)
  1. Audit Update Logs: Review network logs from June to December 2025 for connections to the identified malicious infrastructure.
  1. Re-installation: For any system suspected of attempting an update during the compromised window, a full uninstallation of Notepad++ followed by a clean installation from the official domain is recommended to remove any dormant artifacts.