For six months, Chinese state-sponsored hackers controlled the update mechanism for Notepad++, one of the most popular text editors on Windows. They used that access to selectively deliver malware to targets in telecommunications and financial services.

The attackers did not compromise Notepad++ code. They compromised its hosting provider. This distinction matters because it shows how supply chain attacks have evolved beyond build pipelines into infrastructure itself.

What Happened

Between June 2025 and December 2025, threat actors hijacked traffic from WinGUp, the Notepad++ updater. When certain users checked for updates, their requests were redirected to malicious servers that served backdoored installers instead of legitimate updates.

The targeting was selective. Most users received normal updates. Only specific victims, primarily in East Asian telecom and financial sectors, got the poisoned versions.

Security researcher Kevin Beaumont identified at least three organizations where the hijacked updates led to hands-on network reconnaissance by the attackers.

The Attack Timeline

June 2025: Attackers compromise the shared hosting server running Notepad++ update infrastructure.

June - September 2025: Selective traffic redirection active. Targeted users receive malicious update packages.

September 2, 2025: Hosting provider updates server kernel and firmware. Attackers temporarily lose access.

September - December 2025: Attackers regain access using previously stolen internal service credentials that were never rotated.

December 2, 2025: Hosting provider detects the breach and terminates attacker access.

December 2025: Notepad++ releases version 8.8.9 with hardened update verification.

February 2, 2026: Full public disclosure.

Attribution

Multiple security firms attribute this campaign to Chinese state-sponsored groups. The Hacker News reports involvement of Violet Typhoon (APT31), known for targeting telecommunications infrastructure.

Rapid7’s investigation attributes the malware delivery to Lotus Blossom (also tracked as Raspberry Typhoon, Bilbug, and Spring Dragon), a Chinese APT active since 2009 that focuses on government, telecom, aviation, and media targets across Southeast Asia.

Both groups operate under China’s state intelligence apparatus. The overlap in attribution suggests either coordination or shared infrastructure between teams.

The Malware: Chrysalis Backdoor

Rapid7 discovered a previously undocumented backdoor they named Chrysalis. The malware demonstrates sophisticated development and is designed for long-term persistence rather than smash-and-grab operations.

Infection Chain

The attack delivers malware through a multi-stage process:

notepad++.exe → GUP.exe (updater) → update.exe (malicious)

The malicious update.exe is an NSIS installer, a packaging tool commonly abused by Chinese APT groups. It drops four files into a hidden folder:

Dropped files:

FilenamePurpose
BluetoothService.exeRenamed Bitdefender Submission Wizard (legitimate binary)
log.dllMalicious loader DLL
BluetoothServiceEncrypted shellcode payload

The installer creates %AppData%\Bluetooth\, marks it as hidden, and executes BluetoothService.exe.

DLL Sideloading

The attack abuses a legitimate Bitdefender binary for DLL sideloading. When BluetoothService.exe runs, it attempts to load log.dll. Because a malicious version sits in the same directory, Windows loads the attacker’s DLL instead of the legitimate library.

This technique evades security tools that whitelist signed executables. The Bitdefender binary is legitimately signed, but it loads unsigned malicious code.

Shellcode Decryption

The malicious log.dll implements custom decryption to unpack the Chrysalis payload. The routine uses a linear congruential generator combined with basic transformations rather than standard cryptographic APIs.

Once decrypted, the shellcode executes in memory without touching disk, complicating forensic analysis.

Chrysalis Capabilities

The backdoor includes:

API hashing: Uses FNV-1a hashing with a MurmurHash avalanche finalizer to resolve Windows APIs at runtime. This hides suspicious API calls from static analysis.

String obfuscation: Implements position-dependent character obfuscation. Identical characters encrypt differently based on their position, making signature detection unreliable.

Reflective loading: The main module loads as a PE-like structure in memory, executing standard MSVC initialization before transferring control to malicious code.

Decryption key: gQ2JR&9; (hardcoded XOR key for main module decryption)

The sophistication indicates active development over time. This is not disposable malware. It is a maintained toolkit for persistent access.

Indicators of Compromise

Network

C2 IP: 95.179.213.0

File Hashes (SHA-256)

NSIS Script:
8ea8b83645fba6e23d48075a0d3fc73ad2ba515b4536710cda4f1f232718f53e

BluetoothService.exe (renamed Bitdefender binary):
2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924

BluetoothService (encrypted shellcode):
77bfea78def679aa1117f569a35e8fd1542df21f7e00e27f192c907e61d63a2e

log.dll (malicious loader):
3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad

File System

%AppData%\Bluetooth\ (hidden folder)
%AppData%\Bluetooth\BluetoothService.exe
%AppData%\Bluetooth\log.dll
%AppData%\Bluetooth\BluetoothService

Detection Logic

Look for:

  • Execution of BluetoothService.exe from user AppData directories
  • Hidden folders named “Bluetooth” in roaming profiles
  • DLL sideloading involving Bitdefender binaries outside Program Files
  • Network connections to 95.179.213.0
  • NSIS installer execution followed by persistence in AppData

Lessons for Defenders

Supply Chain Security Extends Beyond Code

The Notepad++ compromise did not involve malicious code commits or compromised build systems. The attackers went after hosting infrastructure. Your software can be perfectly secure and still deliver malware if someone controls the servers distributing it.

This requires thinking about the entire delivery pipeline: build systems, signing infrastructure, CDN providers, hosting platforms, and DNS.

Credential Rotation Matters

After losing server access in September, attackers regained it using old credentials. Three months of continued access because someone did not rotate service credentials after a kernel update.

When you remediate an incident, assume all credentials on that system are compromised. Rotate everything.

Selective Targeting Delays Detection

Mass infections get noticed quickly. Selective targeting keeps campaigns running longer. The Notepad++ attackers operated for six months because they only hit specific targets.

If your threat model includes nation-state actors, you cannot rely on community detection. You need visibility into your own update traffic and the ability to verify software integrity independently.

Signed Binaries Are Not Safe

The Chrysalis infection chain abuses a legitimately signed Bitdefender executable. Allowlisting based on signatures alone is insufficient. You need behavioral detection that catches legitimate binaries doing illegitimate things.

Remediation

If you used Notepad++ between June and December 2025 and work in telecommunications, financial services, or government in East Asia, assume potential compromise.

Immediate actions:

  1. Search for %AppData%\Bluetooth\ across endpoints
  2. Hunt for the listed file hashes
  3. Check network logs for connections to 95.179.213.0
  4. Review Notepad++ update logs for anomalies during the compromise window
  5. Update to Notepad++ 8.8.9 or later

If indicators are found:

  1. Isolate affected systems
  2. Conduct full forensic analysis
  3. Assume lateral movement occurred
  4. Reset all credentials the affected user had access to
  5. Hunt for additional persistence mechanisms

The Bigger Picture

This is the second major supply chain attack disclosed this week, following the Moltbook database exposure. Both demonstrate different failure modes: Moltbook failed at application security basics, while Notepad++ was compromised through its infrastructure despite having secure code.

Supply chain attacks are not going away. The attack surface extends far beyond your own code into every dependency, tool, and piece of infrastructure your software touches.

The organizations best positioned to survive these attacks are those with defense in depth: multiple layers of verification, behavioral detection, and the assumption that any single control can fail.

Understanding how malware works helps you detect it. Our Digital Forensics Analyst certification covers malware analysis, memory forensics, and the investigative techniques needed to respond to sophisticated threats.