Notepad++ Was Backdoored for Months: Inside the Chrysalis Supply Chain Attack
What Happened
Between June and December 2025, a Chinese state-linked hacking group called Lotus Blossom compromised the hosting infrastructure used to deliver Notepad++ updates — and used it to silently install a previously undocumented backdoor called Chrysalis on targeted machines.
The attackers didn't exploit a vulnerability in Notepad++ itself. They went after the update delivery pipeline — hijacking the hosting provider to selectively redirect update requests from specific users to malicious servers that served a tampered installer.
The attack was disclosed publicly in February 2026 by Rapid7, who were the first to attribute it to Lotus Blossom with moderate confidence.
How the Attack Worked
- Hosting provider breach — The attackers compromised the infrastructure of the hosting provider that served Notepad++ downloads and updates
- Selective traffic redirection — Rather than poisoning every download (which would have been detected quickly), they only redirected requests from specific targets
- DLL side-loading — The tampered update used DLL side-loading to execute the Chrysalis payload, a technique Lotus Blossom has used extensively in past campaigns
- Multi-layered shellcode loader — Chrysalis used a sophisticated loader with undocumented system calls (
NtQuerySystemInformation) to evade detection - Persistence via service installation — The backdoor established persistence through Windows service mechanisms
The operation was designed for stealth over scale. Low volume, high value. Classic espionage playbook.
The Chrysalis Backdoor
Chrysalis isn't a throwaway tool. Rapid7 describes it as a "custom, feature-rich backdoor" with a wide array of capabilities:
- File system operations — Read, write, delete, and enumerate files
- Process management — List, start, and terminate processes
- Command execution — Run arbitrary commands on the host
- Data exfiltration — Collect and transmit data to command-and-control servers
- System reconnaissance — Gather detailed system information
The use of undocumented system calls and a multi-layered loading chain marks a shift toward more resilient and stealthier tradecraft from this group.
Who Was Targeted
Kaspersky researchers identified victims across multiple countries and sectors:
- Government organizations in the Philippines
- Financial organizations in El Salvador
- An IT service provider in Vietnam
- Individuals in Vietnam, El Salvador, and Australia
Lotus Blossom has been active since at least 2009 and primarily targets government, telecom, aviation, critical infrastructure, and media organizations across Southeast Asia and Latin America.
What's Been Fixed
Notepad++ has taken several steps since disclosure:
- Migrated to a new hosting provider with stronger security controls
- Rotated all credentials associated with the old infrastructure
- Hardened the WinGUP updater to verify both the certificate and signature of downloaded installers
- Released v8.8.9 which includes these fixes
Are You Affected?
If you used Notepad++ between June and December 2025 and had automatic updates enabled, you should:
- Update immediately — Make sure you're running v8.8.9 or later
- Check your version history — If you received updates during the attack window, investigate further
- Review system logs — Look for unusual service installations, DLL loads, or outbound connections from that period
- Scan for IOCs — Rapid7 and Kaspersky have published indicators of compromise:
- Check the Rapid7 Intelligence Hub for detailed IOCs
- Review Kaspersky's Securelist analysis for additional indicators
- Hunt proactively — Don't rely solely on alerts. Search for signs of DLL side-loading and unusual
NtQuerySystemInformationcalls
The Bigger Picture
This attack hits different because every developer uses a text editor. Notepad++ has over 30 million users. It's installed on dev machines, jump boxes, production servers, and sysadmin workstations everywhere.
Supply chain attacks targeting developer tools are becoming a pattern:
- SolarWinds (2020) — Build system compromise
- Codecov (2021) — CI/CD bash uploader replaced
- xz Utils (2024) — Backdoor in a compression library
- Notepad++ (2025) — Update infrastructure hijacked
The common thread: attackers are going after the tools developers trust implicitly. The update mechanism, the build pipeline, the dependency chain — these are all attack surfaces that most developers never think about.
What You Can Do
Beyond updating Notepad++, here are broader supply chain security practices:
- Verify checksums on everything you download, especially dev tools
- Monitor outbound traffic from development machines
- Use network segmentation — Dev machines shouldn't have unrestricted internet access
- Enable EDR on developer workstations, not just servers
- Pin versions of critical tools and review updates before deploying them
- Watch for anomalous updates — If a tool updates at an unusual time or from an unexpected source, investigate
The era of blindly trusting auto-update is over.
Sources
- Chrysalis, Notepad++, and Supply Chain Risk: What it Means, and What to Do Next — Rapid7
- The Chrysalis Backdoor: A Deep Dive into Lotus Blossom's Toolkit — Rapid7
- The Notepad++ supply chain attack: unnoticed execution chains and new IoCs — Kaspersky Securelist
- Notepad++ Hosting Breach Attributed to China-Linked Lotus Blossom — The Hacker News
- Notepad++ supply chain attack: Researchers reveal details, IoCs, targets — Help Net Security