Notepad++ Infrastructure Hijacked in State-Linked Supply Chain Attack

Notepad++, one of the most widely used open-source text editors, has disclosed a security incident that did not stem from a software vulnerability, but from how updates were delivered to users. The case underscores a growing risk area where trusted applications become targets through their surrounding infrastructure rather than their code.

Notepad++ disclosed an infrastructure-level compromise in which attackers hijacked update traffic and selectively redirected targeted users to malicious update servers, with investigations suggesting a likely state-sponsored threat actor rather than a flaw in Notepad++ source code.

What Happened to Notepad++ Update Infrastructure?

Notepad++ was impacted by an infrastructure-level compromise at a former shared hosting provider, which allowed attackers to intercept and selectively redirect update traffic to attacker-controlled servers. The issue did not originate from the Notepad++ codebase itself.

Was Notepad++ Source Code or Repository Compromised?

No. There is no evidence that Notepad++ source code, binaries, or repositories were breached. The attack exploited weaknesses in the hosting environment handling update delivery, not the application.

When Did the Notepad++ Compromise Occur?

Based on combined forensic analysis, the compromise likely started in June 2025. While direct server access appears to have ended on September 2, 2025, attackers retained internal service credentials, enabling traffic manipulation until December 2, 2025.

New technical analysis reveals the exact mechanism:

Redirection: Targeted users were sent to a rogue server.
Fake Installer: They downloaded a malicious NSIS installer (update.exe).
DLL Side-Loading: This installer dropped a legitimate Bitdefender binary (BluetoothService.exe) which then side-loaded a malicious DLL (log.dll) to execute the payload.

The infection chain showing how legitimate binaries were abused to side-load the malicious DLL. (Rapid7)

What Malware Was Deployed?

Researchers have identified the payload as a previously undocumented backdoor named “Chrysalis”.

It is a custom, feature-rich implant designed for espionage.
It communicates with the C2 server api.skycloudcenter[.]com.
The malware uses Microsoft Warbird, an advanced code protection framework, to hide its activities and evade detection.

How Was the Notepad++ Update Traffic Abused?

Attackers selectively redirected update requests from targeted users to malicious servers serving altered update manifests. This highly selective targeting strongly indicates a sophisticated threat actor rather than opportunistic cybercrime.

Who Is Suspected Behind the Notepad++ Attack?

Multiple independent security researchers assess the operation as likely conducted by a Chinese state-sponsored threat group, based on precision targeting, long-term persistence, and infrastructure-level access.

The campaign is now attributed with medium confidence to Lotus Blossom (also known as Billbug, Spring Dragon, or Thrip). This is a Chinese-linked APT group known for targeting government and critical infrastructure in Southeast Asia, which explains the highly selective nature of the targeting.

Lotus Blossom's cyber threat intelligence profile, SOCRadar Threat Actor Intelligence

Lotus Blossom’s cyber threat intelligence profile, SOCRadar Threat Actor Intelligence

Why Was Notepad++ Specifically Targeted?

Logs show the attackers exclusively searched for and targeted the notepad-plus-plus.org domain, likely leveraging awareness of insufficient update verification mechanisms in older Notepad++ versions.

How Has Notepad++ Responded to the Incident?

Notepad++ migrated its website to a new hosting provider and released v8.8.9, enhancing update security with certificate and installer signature verification. Additional protections, including mandatory XML signature validation (XMLDSig), are expected to be enforced starting with v8.9.2.

Why Does the Notepad++ Incident Matter?

This case highlights how software supply chains can be compromised without touching application code. It serves as a critical warning that trusted infrastructure—like update servers—are prime targets for sophisticated actors like Lotus Blossom looking to bypass traditional perimeter defenses.

How Can SOCRadar Help Organizations Strengthen Attack Surface and Supply Chain Visibility?

SOCRadar supports security teams by providing continuous visibility across both the external attack surface and the software supply chain, helping organizations identify risk before it turns into exploitation.

SOCRadar Attack Surface Management (ASM)

From an Attack Surface Management (ASM) perspective, SOCRadar helps organizations discover and monitor internet-facing assets, third-party dependencies, and infrastructure changes that could be abused in hijacking or redirection scenarios. This includes tracking exposed services, misconfigurations, outdated components, and shadow assets that often emerge outside of formal IT inventories.

SOCRadar Supply Chain Intelligence

On the supply chain intelligence side, SOCRadar extends visibility beyond the organization itself. It enables monitoring of software ecosystems, update infrastructures, third-party services, and developer tooling that attackers increasingly target to achieve scale. By correlating supply chain exposures with real-world threat activity, underground discussions, and historical attack patterns, security teams gain early signals when trusted distribution paths or dependencies become high-risk.

Combined, these capabilities allow organizations to move from reactive incident response to proactive risk reduction. Instead of focusing only on individual vulnerabilities, teams can assess systemic exposure, prioritize remediation based on attacker interest, and strengthen resilience across both infrastructure and supply chains before abuse occurs.

Indicators of Compromise (IoCs)

Following Notepad’s initial report of inconclusive logs, relevant IoCs were provided here.

Hashes

a511be5164dc1122fb5a7daa3eef9467e43d8458425b15a640235796006590c9
8ea8b83645fba6e23d48075a0d3fc73ad2ba515b4536710cda4f1f232718f53e
2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924
77bfea78def679aa1117f569a35e8fd1542df21f7e00e27f192c907e61d63a2e
3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad
9276594e73cda1c69b7d265b3f08dc8fa84bf2d6599086b9acc0bb3745146600
f4d829739f2d6ba7e3ede83dad428a0ced1a703ec582fc73a4eee3df3704629a
4a52570eeaf9d27722377865df312e295a7a23c3b6eb991944c2ecd707cc9906
831e1ea13a1bd405f5bda2b9d8f2265f7b1db6c668dd2165ccc8a9c4c15ea7dd
0a9b8df968df41920b6ff07785cbfebe8bda29e6b512c94a3b2a83d10014d2fd
4c2ea8193f4a5db63b897a2d3ce127cc5d89687f380b97a1d91e0c8db542e4f8
e7cd605568c38bd6e0aba31045e1633205d0598c607a855e2e1bca4cca1c6eda
078a9e5c6c787e5532a7e728720cbafee9021bfec4a30e3c2be110748d7c43c5
b4169a831292e245ebdffedd5820584d73b129411546e7d3eccf4663d5fc5be3
7add554a98d3a99b319f2127688356c1283ed073a084805f14e33b4f6a6126fd
fcc2765305bcd213b7558025b2039df2265c3e0b6401e4833123c461df2de51a

Network Indicators

95.179[.]213.0
api[.]skycloudcenter[.]com
api[.]wiresguard[.]com
61.4[.]102.97
59.110[.]7.32
124.222[.]137.114

MITRE TTPs

ATT&CK ID	Name
T1204.002	User Execution: Malicious File
T1036	Masquerading
T1027	Obfuscated Files or Information
T1027.007	Obfuscated Files or Information: Dynamic API Resolution
T1140	Deobfuscate/Decode Files or Information
T1574.002	DLL Side-Loading
T1106	Native API
T1055	Process Injection
T1620	Reflective Code Loading
T1059.003	Command and Scripting Interpreter: Windows Command Shell
T1083	File and Directory Discovery
T1005	Data from Local System
T1105	Ingress Tool Transfer
T1041	Exfiltration Over C2 Channel
T1071.001	Application Layer Protocol: Web Protocols (HTTP/HTTPS)
T1573	Encrypted Channel
T1547.001	Boot or Logon Autostart Execution: Registry Run Keys
T1543.003	Create or Modify System Process: Windows Service
T1480.002	Execution Guardrails: Mutual Exclusion
T1070.004	Indicator Removal on Host: File Deletion