On February 2, 2026, the Notepad++ team disclosed a supply-chain compromise affecting their update infrastructure, confirming that attackers had gained persistent access to hosting systems for several months in 2025. The intrusion began around June, continued through September, and attackers were able to hold on to parts of the internal infrastructure until December.
Importantly, this was not a flaw in the Notepad++ application itself. Instead, the attackers exploited trust in the update delivery pipeline, using infrastructure access to quietly push malicious executables to carefully selected targets.
The campaign has been linked to the Chinese espionage group Lotus Blossom, a long-running threat actor active since at least 2009 and known for highly targeted intelligence operations. The compromised update channel was used to deploy a previously undocumented custom backdoor, dubbed Chrysalis, pointing to a targeted espionage-driven intrusion rather than opportunistic malware distribution.
The activity primarily affected organizations in Southeast Asia, and later Central America, with targets spanning government, telecommunications, aviation, critical infrastructure, and media sectors.
The campaign began in June 2025, when threat actors gained access to systems involved in Notepad++'s update delivery process. By compromising the update infrastructure, the attackers positioned themselves inside a trusted part of the software supply chain.
Over the following months, the attackers used this access to manipulate how updates were delivered. Instead of distributing malware to everyone, they were highly selective, redirecting update requests only for specific targets. Most users continued receiving legitimate updates, allowing the operation to remain unnoticed while targeted victims were served malicious payloads.
In early September, the attacker's access to parts of the hosting environment changed as remediation activity began. However, the operation didn't stop. By leveraging retained credentials and secondary internal services, they were able to maintain a foothold and continue limited malicious operations.
During this phase, the attackers focused on maintaining persistence within targeted environments. A custom backdoor, later named Chrysalis, was deployed to selected victims, enabling long-term access and intelligence collection.
By December 2025, remaining unauthorized access had been removed and affected services were secured. Malicious update redirection activity stopped as credentials and infrastructure were remediated.
The Notepad++ team publicly confirmed the supply-chain compromise. Follow-on investigations linked the campaign to the Lotus Blossom threat group and highlighted the narrowly targeted scope of the attack.
The attackers did not exploit a flaw in Notepad++ itself. Instead, they abused the trusted updater mechanism.
For selected victims, update requests were redirected to attacker-controlled infrastructure, causing the updater to download a malicious installer in place of a legitimate update. Forensic analysis consistently showed a sequential execution chain involving notepad++.exe, GUP.exe and update.exe
GUP.exe is the WinGUp updater component. In compromised cases, it retrieved a weaponized update.exe, implemented as an NSIS-based installer used as a staging container. Using a legitimate installer format allowed the payload to blend into normal update behavior.
The malicious NSIS installer dropped multiple artifacts into user-writable locations such as %AppData%, including:
Publicly observed SHA-256 hashes include:
The renamed legitimate binary loads its expected DLL dependencies. The attackers supplied a malicious log.dll exporting the same functions the application expects.
On load, log.dll implements routines such as LogInit and LogWrite, which decrypt and map shellcode into memory. The loader resolves APIs dynamically using custom hashing (FNV-1a combined with a MurmurHash-style avalanche finalizer).
The final payload, Chrysalis, is the backdoor delivered through the hijacked update mechanism. Its capabilities include:
Chrysalis uses custom configuration encryption (RC4 + custom routines) and communicates with C2 endpoints that rotated over time. The analysis shows heavy use of API hashing and runtime resolution to maximize stealth.
Some loader variants took advantage of Microsoft's internal Warbird code-protection mechanisms to run shellcode within signed Microsoft binaries. By hiding malicious execution inside trusted processes, this approach made static detection much more difficult and likely played a role in allowing the campaign to remain undetected for several months.
This incident highlights a modern evolution in supply-chain operations:
By compromising the update pipeline itself, the attackers turned a trusted delivery mechanism into a stealthy malware distribution channel. Limiting infections to carefully selected victims helped them maintain operational secrecy while maintaining control.
This reflects classic espionage tradecraft applied directly to software distribution.
The Notepad++ compromise shows how modern supply-chain attacks prioritize stealth and trust abuse over exploiting application flaws. By inserting themselves into a legitimate update pipeline and targeting only selected victims, the attackers maintained long-term access while avoiding widespread detection.
The key lesson is clear: software trust chains are now active attack surfaces. Update mechanisms, distribution infrastructure, and third-party dependencies must be monitored with the same discipline as internal systems. When malicious payloads arrive through trusted channels, traditional defenses often fail silently.
This incident is a reminder that supply-chain security is no longer theoretical. It is an operational reality and security now depends on visibility into how software is built, delivered, and updated.
Network Indicators:
Hashes: