Executive Summary
Rapid7 has attributed a six-month supply chain compromise of Notepad++ to the China-linked APT group Lotus Blossom. From June to December 2025, the attackers hijacked the Notepad++ hosting provider and selectively redirected update requests to deliver a previously undocumented backdoor called Chrysalis.
The attack targeted government organizations, IT service providers, and other entities in Vietnam, El Salvador, Australia, and the Philippines. The vulnerability has been patched in Notepad++ v8.8.9.
Attack Chain
How the Supply Chain Was Compromised
1. Lotus Blossom compromises Notepad++ hosting infrastructure
2. Attacker monitors incoming update requests via GUP.exe
3. Targeted requests selectively redirected to malicious server (95.179.213[.]0)
4. Malicious update.exe delivered via NSIS installer
5. Chrysalis backdoor installed alongside legitimate Notepad++ update
6. Backdoor contacts C2: api.skycloudcenter[.]com
7. Additional modules and commands receivedKey Technical Details
| Component | Details |
|---|---|
| Attack vector | Compromised hosting provider, hijacked update mechanism |
| Delivery | GUP.exe (Notepad++ updater) downloads malicious update.exe |
| Installer | NSIS-based installer bundles Chrysalis with legitimate update |
| Persistence | Installed alongside Notepad++ in standard application directory |
| C2 server | api.skycloudcenter[.]com |
| Attacker IP | 95.179.213[.]0 |
| Duration | June – December 2, 2025 (approximately 6 months) |
| Fix | Notepad++ v8.8.9 |
Why This Attack Was Effective
The Notepad++ updater (GUP.exe) is a legitimate, signed component that runs automatically. By compromising the hosting infrastructure rather than the software itself, the attackers:
- Bypassed code signing verification (the installer was served from the legitimate update path)
- Avoided modifying the Notepad++ source code or binaries
- Could selectively target specific victims based on IP address or other request metadata
- Maintained the attack for six months without detection
The Chrysalis Backdoor
Capabilities
| Feature | Description |
|---|---|
| System reconnaissance | Collects hostname, OS version, user context, network configuration |
| Command execution | Receives and executes commands from C2 server |
| File operations | Upload, download, and manipulate files on target systems |
| Plugin system | Modular architecture for loading additional capabilities |
| Persistence | Survives reboots via standard application directory placement |
| Stealth | Masquerades as legitimate Notepad++ component |
Communication Pattern
Chrysalis uses HTTPS to communicate with its C2 server, blending with normal web traffic. Initial beacon includes system fingerprint data; subsequent communications use encrypted command-and-response protocol.
Indicators of Compromise
Network Indicators
| Indicator | Type | Description |
|---|---|---|
api.skycloudcenter[.]com | Domain | Primary C2 server |
95.179.213[.]0 | IP Address | Malicious update distribution server |
File System Indicators
- Unexpected files in Notepad++ installation directory
- Modified timestamps on GUP.exe update configuration
- NSIS installer artifacts in temporary directories
- Chrysalis DLL in application directory
Detection Recommendations
- Check Notepad++ version — Any version below 8.8.9 should be updated immediately
- Review DNS logs for connections to
api.skycloudcenter[.]com - Check network logs for connections to
95.179.213[.]0 - Scan for NSIS installer artifacts in temp directories from June–December 2025
- Review Notepad++ installation directories for unexpected DLLs or executables
Who Is Lotus Blossom?
Lotus Blossom (also tracked as Spring Dragon, Thrip, Billbug) is a China-linked APT group active since at least 2009. The group primarily targets government, telecommunications, aviation, and media organizations in Southeast Asia.
Historical Campaigns
| Year | Target | Method |
|---|---|---|
| 2009-2015 | Southeast Asian governments | Spear-phishing with custom RATs |
| 2016-2018 | Telecom and aviation | Elise and Evora backdoors |
| 2019-2022 | Certificate authorities, government | Living-off-the-land techniques |
| 2023-2024 | Government and defense | Custom implants targeting edge devices |
| 2025-2026 | Notepad++ supply chain | Chrysalis backdoor via hijacked updates |
Lessons for Supply Chain Security
Why Developer Tools Are High-Value Targets
Notepad++ is one of the most widely used text editors, particularly popular among:
- Software developers who have access to source code and deployment systems
- System administrators who edit configuration files on production servers
- IT professionals who handle sensitive infrastructure documentation
Compromising a developer tool provides access to users who typically have elevated privileges and access to sensitive systems.
Mitigation Strategies
- Pin software versions and validate update integrity via out-of-band checksums
- Monitor update traffic for unexpected redirects or unfamiliar distribution servers
- Use application allowlisting to prevent unauthorized executables from running
- Segment developer workstations from production infrastructure
- Deploy EDR with behavioral detection for post-exploitation activity
- Subscribe to vendor security advisories for critical development tools
References
- Rapid7 — Chrysalis Backdoor Analysis
- Notepad++ v8.8.9 Release Notes
- MITRE ATT&CK — Supply Chain Compromise (T1195)