Lotus Blossom's Notepad++ Supply Chain Attack: A Deep Dive into the Chrysalis Backdoor

---

---

🚨 Executive Summary: The Notepad++ Supply Chain Attack

In mid-2025, a sophisticated attack targeted the popular open-source text editor Notepad++. The China-linked Lotus Blossom hacking group (also known as Billbug, Raspberry Typhoon) breached the software's hosting provider, hijacking update traffic to deliver a previously undocumented backdoor dubbed Chrysalis. This supply chain compromise went undetected for months, affecting users across APAC, South America, and Europe. By exploiting insufficient update verification in older Notepad++ versions, the attackers selectively redirected a fraction of users to malicious servers. This breach underscores the critical need for robust software update pipelines and defense-in-depth strategies. In this beginner-friendly breakdown, we’ll dissect the entire Notepad++ supply chain attack, map it to MITRE ATT&CK, and provide actionable blue-team defenses.

---

🕵️ MITRE ATT&CK Techniques Used in the Attack

The Lotus Blossom group employed a blend of tactics to maintain stealth and persistence. Below is a mapping of key techniques observed in the Notepad++ supply chain attack.

Tactic	Technique ID	Technique Name	How It Was Used
Initial Access	T1195.001	Supply Chain Compromise	Breached the hosting provider to modify Notepad++ update mechanism.
Execution	T1204.002	User Execution (Malicious File)	Victims ran the trojanized update (update.exe) believing it was legitimate.
Defense Evasion	T1574.002	DLL Side-Loading	Used legitimate Bitdefender binary (BluetoothService.exe) to load malicious log.dll.
Defense Evasion	T1027	Obfuscated Files/Info	Chrysalis backdoor used encrypted shellcode and Microsoft Warbird obfuscation.
Command and Control	T1071.001	Web Protocols	Beacon contacted api.skycloudcenter[.]com over HTTP.
Impact	T1496	Resource Hijacking	Backdoor allowed file exfiltration, interactive shell, and potential lateral movement.

Understanding these techniques helps defenders spot similar behaviors in their environment.

---

🌍 Real-World Scenario: Who Was in the Crosshairs?

The attackers didn’t spray malware indiscriminately, they selectively targeted high-value individuals and organizations. According to Rapid7 and Kaspersky telemetry, the Notepad++ supply chain attack victims included:

• Individuals in Vietnam, El Salvador, and Australia.
• A government organization in the Philippines.
• A financial institution in El Salvador.
• An IT service provider in Vietnam.
• Broader sectors: telecom, government, and transportation across APAC and South America.

This targeting aligns with Lotus Blossom’s historic interest in political and economic intelligence. The group used the trusted Notepad++ update channel to slip past perimeter defenses, showing how supply chain attacks can bypass even strong security postures.

---

⚙️ Step-by-Step: How the Notepad++ Update Was Hijacked

The attack evolved over several months, with three distinct infection chains. Below is a simplified flow of how the Chrysalis backdoor reached victims.

Kaspersky observed three infection chains with rotating C2s and downloader tweaks, showing the group’s agility. By December 2025, the hosting provider access was terminated and Notepad++ migrated to a new provider with stronger security.

---

✅ Common Mistakes & Best Practices

This breach offers lessons for both software maintainers and end users.

❌ Mistakes That Enabled the Attack

• Insufficient update verification – Older Notepad++ versions didn’t cryptographically verify updates.
• Weak hosting provider security – The provider lacked strict access controls and monitoring.
• Lack of code signing – The updater didn’t enforce digital signatures for downloaded binaries.
• Delayed disclosure – The compromise went undetected for nearly six months.

🛡️ Best Practices to Mitigate Supply Chain Risks

• Implement code signing and verify signatures before applying updates.
• Use multi-factor authentication (MFA) for all hosting infrastructure accounts.
• Monitor outbound connections from updater processes for anomalies.
• Adopt a zero-trust model – treat every update as untrusted until verified.
• Keep software up-to-date (Notepad++ 8.8.9+ fixed the verification flaw).

---

🔴🔵 Red Team vs Blue Team Perspectives

---

📊 Visual Attack Breakdown

Below is a simplified diagram of the Notepad++ supply chain infection chain. The visual shows how update traffic was hijacked and the subsequent DLL side-loading.

---

❓ Frequently Asked Questions

What is the Lotus Blossom hacking group?

Lotus Blossom (aka Billbug, Raspberry Typhoon) is a China-linked APT group active since at least 2012. They focus on espionage targeting government, military, and technology sectors in Southeast Asia. They frequently use DLL side-loading and public exploit code.

How do I know if my system was affected?

Indicators include: presence of update.exe in Notepad++ folders, unexpected processes like BluetoothService.exe running, or network connections to 45.76.155.202 or 95.179.213.0. Use a memory scanner or EDR to check for Cobalt Strike beacons.

Is Notepad++ safe to use now?

Yes. The maintainers patched the update verification flaw in version 8.8.9 (December 2025) and moved to a new hosting provider. Ensure you’re running the latest version (8.8.9 or higher) and enable automatic updates.

What is Chrysalis backdoor?

Chrysalis is a custom implant that collects system info, provides remote shell, and can download additional payloads. It uses encrypted shellcode and was delivered via the malicious Notepad++ update.

Could this happen to other software?

Absolutely. Supply chain attacks are on the rise (e.g., SolarWinds, 3CX). Any software with an auto-update feature is a potential vector. That’s why defense in depth and update integrity checks are critical.

---

🔑 Key Takeaways

• The Notepad++ supply chain attack was a sophisticated, multi-phase operation by Lotus Blossom using DLL side-loading and update hijacking.
• Supply chain compromises are hard to detect, they abuse trusted relationships.
• Code signing, integrity verification, and network monitoring are essential controls.
• Understanding MITRE ATT&CK techniques (T1195, T1574, T1027) helps in building detection rules.
• Always update software to the latest patched version and verify the source.

---

🚀 Call to Action

Now that you understand the mechanics of this attack, take action:

• Check your Notepad++ version – Update to 8.8.9 or later immediately.
• Review your software update pipelines – Do you verify signatures? Do you monitor update traffic?
• Share this knowledge with your team to raise awareness about supply chain risks.
• Explore our other guides on DLL side-loading detection and supply chain security best practices (internal links).

📚 External Resources for Further Reading:

• MITRE ATT&CK: Supply Chain Compromise (T1195)
• CISA – Supply Chain Compromise Guide
• Official Notepad++ Site (Latest Version)
• Rapid7 Threat Intelligence (Lotus Blossom coverage)
• Kaspersky Securelist – In-depth malware analysis