1. Executive Summary
Notepad++’s update mechanism (WinGUp) was abused in a targeted supply-chain compromise in 2025, where certain users’ update traffic was selectively redirected to attacker-controlled infrastructure and served trojanised “update” payloads rather than legitimate installers. Notepad++’s maintainer stated the compromise occurred at the shared hosting / infrastructure layer (not through a vulnerability in Notepad++ code), enabling interception of update lookups and redirection of a small subset of victims. Reporting and telemetry from Rapid7 and Kaspersky indicate the activity was highly selective (roughly “about a dozen machines” in Kaspersky’s observed sample set) and aligned to Chinese espionage tradecraft, with Rapid7 attributing the campaign to the long-running China-nexus group Lotus Blossom. The primary defensive action is to treat any Notepad++ updates obtained via the in-app updater during the compromise window as suspect, validate endpoint artefacts against published IOCs, and ensure WinGUp hardening updates are deployed.
Sources: Notepad++ maintainer disclosure (as relayed/quoted in Kaspersky’s Securelist analysis and Help Net Security’s incident summary); Rapid7’s campaign write-up and indicators in “The Chrysalis Backdoor: A Deep Dive into Lotus Blossom’s toolkit”; Notepad++ mitigation details in the Notepad++ v8.8.9 announcement.
2. Contextual Background
2.1 Nature of the threat
This incident is best understood as a supply-chain compromise of the update distribution path, not a traditional product CVE in Notepad++ itself. Notepad++ disclosed that WinGUp update lookups were sometimes redirected to malicious servers, leading to download of compromised executables; the project also acknowledged a weakness in how the updater validated integrity/authenticity of downloaded update files, which could be exploited if an attacker could intercept traffic between the updater and update infrastructure. The project introduced stronger verification checks in response.
Source: Notepad++ v8.8.9 release notes (vulnerability-fix / mitigation).
The compromise mechanics reported publicly centre on infrastructure-level control at the hosting provider that served the update redirect logic (often described as getDownloadUrl.php), enabling selective victim redirection to attacker-controlled update manifests and payload hosting.
Source: Help Net Security’s timeline and provider statement excerpts.
2.2 Threat-actor attribution
Likely (NATO/Admiralty “Likely”): Multiple sources describe the operation as consistent with Chinese state-sponsored activity. Rapid7 explicitly attributes the Chrysalis backdoor campaign tied to the Notepad++ infrastructure compromise to Lotus Blossom (a China-nexus espionage group active since at least 2009, per Rapid7).
Source: Rapid7: Chrysalis backdoor / Lotus Blossom attribution.
Corroboration: Kaspersky’s Securelist write-up links the Notepad++ update compromise to multiple infection chains and rotating infrastructure, consistent with a disciplined, resourced actor, and aligns reported victimology to targeted espionage rather than broad monetisation.
Source: Kaspersky Securelist technical analysis and victimology.
Note: Some third-party commentary suggests alternate China-nexus clusters; however, the most directly evidenced attribution in primary CTI reporting for this incident (Rapid7) is Lotus Blossom.
Source: Help Net Security reporting (includes third-party attribution commentary).
2.3 Sector and geographic targeting
Kaspersky reports the observed targeting included: a government organisation in the Philippines, a financial organisation in El Salvador, an IT services provider in Vietnam, and individuals in Vietnam, El Salvador, and Australia—collectively “about a dozen machines” observed across multiple chains.
Source: Kaspersky Securelist – victimology and scope and Kaspersky press release summary.
Rapid7 describes Lotus Blossom’s broader targeting historically as government, telecoms, aviation, critical infrastructure, and media—primarily in Southeast Asia and more recently Central America—providing contextual alignment with the victim set above.
Source: Rapid7: Lotus Blossom background.
3. Technical Analysis
3.1 Compromise and execution flow (mapped to MITRE ATT&CK)
High-level flow (multi-chain):
- Supply-chain compromise / update redirection → malicious “update” payload delivered to select targets.
- User execution occurs implicitly through the updater installing what appears to be a legitimate update package.
- Loader/backdoor deployment with host reconnaissance and staged payload delivery (including Cobalt Strike in at least some cases).
- Command-and-control over HTTP(S), with periodic infrastructure rotation across months.
ATT&CK mapping (selected, based on observed reporting):
- Supply-chain compromise: T1195
Behaviour: attacker-controlled infrastructure delivers trojanised updater artefacts via Notepad++ update path.
Sources: Notepad++ v8.8.9 disclosure, Kaspersky Securelist, Rapid7 - User execution (malicious file delivered as update): T1204.002
Sources: Rapid7 - Windows Command Shell for recon/collection: T1059.003
Behaviour: execution ofwhoami,tasklist, and similar commands in early-stage activity (Kaspersky chain descriptions).
Source: Kaspersky Securelist - DLL side-loading (in Rapid7-described loader families / CS staging): T1574.002
Source: Rapid7 - Process injection / reflective loading (Rapid7 analysis of tooling): T1055 and T1620
Source: Rapid7 - Web-based C2: T1102.002
Behaviour: HTTPS communication with specific domains/IPs and distinct user agents.
Source: Rapid7 network indicators and C2 analysis
3.2 Exploitation status and timelines
Notepad++’s maintainer and hosting-provider communications (as reproduced in reporting) indicate a compromise beginning around June 2025, with the hosting server believed compromised until 2 September 2025, and credential-based redirection potential extending until 2 December 2025.
Source: Help Net Security timeline and provider statement excerpts.
Kaspersky’s telemetry analysis describes three distinct infection chains from July through October 2025, with frequent rotation of infrastructure and payloads, reinforcing that multiple phases likely existed beyond the single chain many defenders initially searched for.
Source: Kaspersky Securelist infection chain timeline.
Rapid7 reports incident response observations including Cobalt Strike staging in at least one case, suggesting hands-on follow-on activity beyond simple initial access.
Source: Kaspersky referencing Rapid7 CS observation and Rapid7 analysis.
4. Impact Assessment
4.1 Severity and scope
This is high severity from an organisational risk standpoint because it abuses a trusted software update path—an avenue that can bypass normal user suspicion and, in some environments, application allow-listing assumptions. However, available evidence indicates the operation was selective rather than widespread, with Kaspersky observing “about a dozen machines” impacted across its visibility for the described chains.
Source: Kaspersky Securelist – targeting and scale.
4.2 Victim profile
The observed victim set spans government, finance, IT services, and individuals, with geography including Southeast Asia and Central America and at least one case in Australia. The broader actor context (Lotus Blossom) aligns with long-run espionage targeting of government/telecoms and related sectors.
Sources: Kaspersky Securelist victimology; Rapid7 Lotus Blossom background.
5. Indicators of Compromise (IOCs)
5.1 IOC table (operational “first-pass” pivots)
This table only includes indicators explicitly published by Kaspersky and Rapid7. It is not exhaustive; defenders should also pull the full indicator sets from the original reports.
| Type | Value | Context / Notes | Source |
|---|---|---|---|
| Domain | api[.]skycloudcenter[.]com | Rapid7-reported Chrysalis C2 domain used over HTTPS | Rapid7 Chrysalis analysis |
| URL | https://api.skycloudcenter.com/a/chat/s/70521ddf-a2ef-4adf-9cf0-6d8e24aaa821 | Example C2 URL in Rapid7 telemetry | Rapid7 Chrysalis analysis |
| Domain | api[.]wiresguard[.]com | Payload hosting / CS beacon infrastructure referenced in Rapid7 | Rapid7 Chrysalis analysis |
| IP | 59.110.7.32 | Rapid7-listed network indicator (also used in sample loader URLs) | Rapid7 Chrysalis analysis |
| IP | 124.222.137.114 | Rapid7-listed network indicator (also used in sample loader URLs) | Rapid7 Chrysalis analysis |
| IP | 61.4.102.97 | Rapid7-listed network indicator | Rapid7 Chrysalis analysis |
| IP | 95.179.213.0 | Rapid7-listed network indicator (as published) | Rapid7 Chrysalis analysis |
| Mutex | Global\\Jdhfv_1.0.1 | Rapid7-reported single-instance mutex in Chrysalis | Rapid7 Chrysalis analysis |
| IP/URL | http://45.76.155[.]202/update/update.exe | Kaspersky Chain #1 payload URL (late July/early Aug 2025) | Kaspersky Securelist |
| File hash (SHA1) | 8e6e505438c21f3d281e1cc257abdbf7223b7f5a | Kaspersky Chain #1: update.exe (NSIS installer) | Kaspersky Securelist |
| Directory | %appdata%\\ProShow | Kaspersky Chain #1 staging directory | Kaspersky Securelist |
| Command | cmd /c whoami&&tasklist > 1.txt | Kaspersky Chain #1 recon/collection command | Kaspersky Securelist |
| Service/Website | temp[.]sh | Kaspersky: used for uploading recon output (unusual in many enterprises) | Kaspersky Securelist |
5.2 Detection guidance
Network
- Hunt for outbound connections / DNS queries to the Rapid7-listed domains and IPs above, especially from developer workstations, admin endpoints, or hosts running Notepad++ / WinGUp.
Source: Rapid7 network indicators section. - Specifically for Kaspersky Chain #1 style activity: look for traffic to
temp[.]shand for raw HTTP requests where atemp[.]sh/...URL is embedded in the User-Agent (Kaspersky notes the attacker passed an uploaded file URL inside the user agent in at least one chain).
Source: Kaspersky Securelist – detection/hunting recommendations.
Endpoint / EDR
- Search for creation of
%appdata%\\ProShowand follow-on file drops in that directory on endpoints that used Notepad++’s updater during the compromise period.
Source: Kaspersky Securelist – Chain #1 artefacts. - Hunt for NSIS installer runtime artefacts such as
%localappdata%\\Temp\\ns.tmpcreation correlated with Notepad++ update activity (Kaspersky suggests this as a generic detection path across chains).
Source: Kaspersky Securelist – NSIS artefact hunting. - Detect the Chrysalis mutex
Global\\Jdhfv_1.0.1and investigate any process holding it.
Source: Rapid7 Chrysalis analysis.
Rules / content packs
- Kaspersky states it published a dedicated “Notepad++ supply chain attack” correlation-rule package for its SIEM customers; use it for both alerting and retrospective hunting (Kaspersky recommends reviewing from September 2025).
Source: Kaspersky Securelist – SIEM package mention. - For Microsoft Defender environments, there are community KQL pivots derived from Rapid7 indicators (use as a starting point, but validate against the original Rapid7 report).
Source: Community KQL query set referencing Rapid7 network IOCs.
6. Incident Response Guidance
6.1 Containment, eradication, recovery
- Containment: If you suspect exposure, isolate affected hosts from the network and preserve volatile data before remediation (see artefacts below).
- Eradication: Remove malicious payloads and persistence identified by EDR triage; reset credentials used on affected endpoints (especially if interactive access or Cobalt Strike staging is suspected).
- Recovery: Rebuild systems where you cannot establish high confidence in integrity (particularly developer/admin endpoints). Validate that only trusted Notepad++ versions are installed via controlled software distribution channels.
Operational note: Notepad++’s own mitigation is to harden update verification (certificate + signature checking) to prevent future updater-based trojan delivery if verification fails.
Source: Notepad++ v8.8.9 mitigation and Help Net Security summary of follow-on controls.
6.2 Forensic artefacts to collect
- Process execution telemetry around Notepad++ updates:
GUP.exe/ updater-launched installers, child processes, and command lines.
Source: Kaspersky Securelist – updater-launched maliciousupdate.exe. - Filesystem and registry persistence consistent with Rapid7’s Chrysalis behaviour (service/registry persistence described in their analysis).
Source: Rapid7 Chrysalis analysis – persistence overview. - Network telemetry for the domains/IPs in the IOC table, plus unusual use of
temp[.]sh.
Sources: Rapid7, Kaspersky Securelist.
6.3 Lessons learned
- Treat third-party updaters as high-risk: proxy and inspect, restrict egress, and require cryptographic verification.
- Prefer enterprise software management (internal repositories, allow-listed sources) over in-app updaters for developer tooling.
7. Threat Intelligence Contextualisation
7.1 Similar incidents / pattern
This operation mirrors a broader trend in which actors prioritise software supply chains and update paths for high-leverage, selective access—rotating infrastructure and payloads to evade static IOC-based detection. Kaspersky highlights monthly tooling and C2 rotation across the observed period, which is consistent with mature espionage operators rather than commodity crimeware.
Source: Kaspersky Securelist – infrastructure and payload rotation.
7.2 Full MITRE ATT&CK mapping (observed behaviours)
| Tactic | Technique ID | Technique Name | Observed Behaviour |
|---|---|---|---|
| Initial Access | T1195 | Supply Chain Compromise | Update-path compromise / selective redirection to trojanised payloads |
| Execution | T1204.002 | User Execution: Malicious File | Updater-driven execution of malicious “update” packages |
| Discovery | T1059.003 | Windows Command Shell | Execution of whoami, tasklist, etc. in Kaspersky chain narratives |
| Defence Evasion / Execution | T1574.002 | DLL Side-Loading | Rapid7-described loader behaviours enabling staged payload execution |
| Privilege / Execution | T1055 | Process Injection | Rapid7-described injection-related tradecraft in tooling analysis |
| Execution | T1620 | Reflective Code Loading | Rapid7-described in-memory loading behaviours |
| Command and Control | T1102.002 | Web Service | HTTPS-based C2 to attacker domains and rotating infrastructure |
Sources: Rapid7 Chrysalis analysis; Kaspersky Securelist; Notepad++ disclosure of updater path abuse.
8. Mitigation Recommendations
8.1 Hardening steps
- Upgrade Notepad++ to versions incorporating hardened update verification across your fleet, and consider disabling in-app updates in favour of managed deployment in enterprise environments.
Source: Notepad++ v8.8.9 mitigation. - Restrict egress for developer tooling where feasible (e.g., block or tightly monitor outbound traffic from Notepad++ / updater processes).
Source: Help Net Security – organisational advice and risk framing.
8.2 Patch / update management advice
- If you cannot prove an endpoint did not receive a malicious updater payload during the compromise window, prioritise it for triage using Kaspersky/Rapid7 indicators and—where uncertainty remains—rebuild.
Sources: Kaspersky Securelist; Rapid7 Chrysalis analysis.
9. Historical Context & Related Vulnerabilities
Notepad++’s own release notes emphasise the issue was a weakness in updater validation that became relevant when an attacker could intercept network traffic—a scenario realised through compromise of update-serving infrastructure rather than a bug in the application’s editing features.
Source: Notepad++ v8.8.9 release notes.
Kaspersky notes that defenders who only searched for October-phase indicators may have missed earlier infections because July–September infrastructure and hashes differed materially.
Source: Kaspersky press release and Securelist analysis and Securelist.
10. Future Outlook
Expect continued interest in developer-tool supply chains: these endpoints often hold privileged credentials, access tokens, source code, and administrative tooling, making them valuable for espionage and downstream compromise. Kaspersky’s observation of frequent monthly rotation suggests the operator will likely continue adapting infrastructure and delivery mechanisms, reducing the shelf-life of static IOC-only defence.
Source basis for outlook: Kaspersky Securelist – rotation and multi-chain behaviour; Rapid7 – Lotus Blossom tradecraft and persistence.
11. Further Reading
Primary technical reporting
- Kaspersky Securelist: “The Notepad++ supply chain attack — unnoticed execution chains and new IoCs”
- Rapid7: “The Chrysalis Backdoor: A Deep Dive into Lotus Blossom’s toolkit”
Project advisories / mitigation
Incident summaries