Researchers map Notepad++ supply-chain compromise delivering Chrysalis backdoor

Picus Security, Unit 42 and Rapid7 reported that a targeted supply-chain campaign hijacked Notepad++ update infrastructure between June and December 2025 and delivered a previously undocumented backdoor named Chrysalis to selected targets. Vendors say the attack exploited a flaw in the Notepad++ updater, CVE-2025-15556, enabling attackers to force malicious installers onto users’ machines via the update mechanism.

The technical root was simple but consequential. Cyber Intel Brief summarized the vulnerability succinctly: "Because the updater did not verify the digital signatures of downloaded metadata or installers, an attacker with network or infrastructure access could force the application to execute a malicious installer with the user’s privileges." Notepad++’s WinGUp updater in versions prior to 8.8.9 lacked signature checks, and the project patched that behavior with an update released in December 2025. Notepad++ later recommended users download and run a manual installer for version 8.9.1 to ensure the security enhancement was applied.

Analysts traced a sequence of actions that began with an initial breach of the shared hosting provider for notepad-plus-plus.org in June 2025. Between July and October attackers selectively redirected update traffic to malicious hosts and rotated command-and-control domains and loaders to evade detection. A maintenance event on September 2 temporarily removed direct server access but did not stop the campaign, as the adversary continued to operate with stolen credentials. Public reporting and vendor debriefs rolled out through February and March 2026 as researchers reconciled overlapping findings.

Unit 42 provided the most detailed forensic picture of the delivery chains. Investigators observed multiple parallel infection chains that delivered Chrysalis alongside Cobalt Strike beacons and Metasploit-based shellcode loaders. Techniques included DLL side-loading, a Bluetooth DLL sideloading variant, in-memory loaders compiled with Tiny C Compiler, and a loader abusing Microsoft’s Warbird protection framework. Unit 42 also reported a Lua script injection variant that used the EnumWindowStationsW API and noted that beacons often occurred seconds after victims downloaded a file named update.exe from hostile servers such as 45.76.155[.]202/update/update.exe and 45.32.144[.]255/update/update.exe.

Attribution converged on a state-aligned operator commonly called Lotus Blossom, known under aliases including LOTUS PANDA and Spring Dragon. Rapid7 said it was the first to publish that linkage and assessed its attribution with "moderate confidence." Rapid7 also stressed that investigators found no evidence the Notepad++ application source code or development process was altered, writing in its analysis that "There is no evidence that the application’s source code or core development process was compromised."

The campaign appears espionage-focused and surgical, aimed at high-value targets such as developers and system administrators with privileged network access. Picus Security identified infected or targeted systems in Vietnam, El Salvador, Australia and the Philippines across government, financial and IT sectors, while Unit 42 expanded that footprint to include South America, the U.S., Europe and additional industries including cloud hosting, energy and manufacturing.

Notepad++ migrated its website to a new hosting provider and pushed the signature verification patch. Vendors recommend organizations verify that clients are running patched versions, manually install the secure updater if needed, and hunt for indicators such as unexpected executions of update.exe, the listed IPs and C2-like outbound connections immediately following update activity. Open questions remain about the total number of victims, the full set of C2 infrastructure used and whether any named organizations were specifically targeted.