Trusted Software Weaponized
Notepad++ — one of the most widely used text editors with over 50 million downloads — has released an emergency v8.9.2 update with a "double lock" security fix. A China-linked APT group hijacked the update mechanism from June through December 2025, deploying backdoors to targeted organizations worldwide.
Attack Overview
| Field | Details |
|---|---|
| Target Software | Notepad++ (all versions prior to v8.9.2) |
| Attack Window | June 2025 — December 2025 (~6 months) |
| Method | Update mechanism hijack via hosting provider compromise |
| Payload | Chrysalis backdoor |
| Targets | Finance, telecom, government, critical infrastructure |
| Regions | Southeast Asia, South America, United States, Europe |
How the Supply Chain Was Compromised
The attackers did not compromise Notepad++ source code or its GitHub repository. Instead, they intercepted the update delivery pipeline:
1. Hosting Provider Compromise
└─ Attackers gained access to hosting provider serving updates
2. Update Interception
└─ Modified update packages in transit for targeted IP ranges
3. Selective Targeting
└─ Only delivered malicious updates to matching target profiles
4. Chrysalis Deployment
└─ Backdoor installed silently alongside legitimate update
5. C2 Rotation
└─ Servers, downloaders, and payloads constantly rotatedThe selective targeting made the attack extremely difficult to detect — the vast majority of users received legitimate updates.
Attribution: Disputed but China-Linked
| Analyst | Attribution | Reasoning |
|---|---|---|
| Kevin Beaumont | Violet Typhoon (APT31/Zirconium) | Infrastructure overlap with known APT31 C2 servers |
| Rapid7 Research | Lotus Blossom (Spring Dragon) | Chrysalis backdoor code similarities to known Lotus Blossom tooling |
Chrysalis Backdoor Capabilities
- Encrypted C2 communications using custom protocol over HTTPS
- File exfiltration with automated staging and compression
- Credential harvesting from browsers and password managers
- Keylogging with application-aware context capture
- Screenshot capture triggered by specific application windows
- Lateral movement tools for internal network reconnaissance
Targeted Sectors
| Sector | Percentage of Known Victims |
|---|---|
| Financial Services | 35% |
| Telecommunications | 25% |
| Government Agencies | 20% |
| Critical Infrastructure | 15% |
| Other | 5% |
The "Double Lock" Fix
Notepad++ v8.9.2 implements two new security mechanisms:
- Code-signed update verification — All update packages cryptographically signed with a new dedicated signing key
- Pinned certificate validation — Update client pins the expected TLS certificate of the update server, preventing MitM even if a hosting provider is compromised
Defensive Recommendations
- Update to Notepad++ v8.9.2 immediately
- Scan for Chrysalis indicators — Check endpoints that received updates between June-December 2025
- Review network logs — Look for connections to known Chrysalis C2 infrastructure
- Audit all third-party update mechanisms in your environment
Sources
- Kaspersky Securelist — Chrysalis: Supply Chain Attack via Notepad++ Update Mechanism
- Dark Reading — Chinese Hackers Hijack Notepad++ Updates for Six Months
- The Hacker News — Notepad++ Official Update Mechanism Hijacked
- Help Net Security — Notepad++ Supply Chain Attack IOCs and Targets