Nation-State Actors Exploit Notepad++ Supply Chain

Executive Summary Between June and December 2025, the official hosting infrastructure for the text editor Notepad++ was compromised by a state-sponsored threat group known as Lotus Blossom. The attackers breached the shared hosting provider’s environment. This allowed the attackers to intercept and redirect traffic destined for the Notepad++ update server. This infrastructure-level hijack enabled the attackers to selectively target specific users. The targets were primarily located in Southeast Asia across government, telecommunications and critical infrastructure sectors. Attackers served these targets malicious update manifests instead of legitimate software updates. We’ve identified additional unreported infrastructure, which is linked to this campaign. We’ve observed two chains of infection including a Lua script injection variant that resulted in the delivery of Cobalt Strike beacon malware as well as DLL side-loading to deliver a Chrysalis backdoor. Unit 42 also found that this threat activity is targeting more sectors and more regions than previously reported. This campaign also affected the following sectors in South America, the U.S., Europe and Southeast Asia: Cloud hosting Energy Financial Government Manufacturing Software development Notepad++ is a lightweight, open-source code editor and text replacement utility. This tool is widely favored for its speed, extensive plugin ecosystem and unique ability to handle massive data files while persisting sessions that users have not yet saved. In enterprise environments, Notepad++ often serves as a foundational instrument for system administrators, network engineers and DevOps personnel. These personnel commonly use this tool to modify server configurations, parse heavy system logs and audit code on secure jump boxes where heavier applications are impractical. This specific user demographic makes Notepad++ a strategically critical target for threat actors. Compromising this single tool allows attackers to effectively bypass perimeter defenses and piggyback into the sessions of the most privileged users in the organization, gaining implicit administrative access to the network's core infrastructure. Palo Alto Networks customers receive protections from and mitigations for the activity discussed in this article in the following ways: Advanced URL Filtering and Advanced DNS Security identify known URLs and domains associated with this activity as malicious Advanced WildFire machine-learning models and analysis techniques have been reviewed and updated in light of the indicators shared in this research Cortex Cloud helps detect and prevent the malicious operations or configuration alterations or exploitations discussed within this article Cortex XDR and XSIAM by employing the Malware Prevention Engine Next-Generation Firewall with the Advanced Threat Prevention is designed to defend networks against both commodity threats and targeted threats The Unit 42 Incident Response team can also be engaged to help with a compromise or to provide a proactive assessment to lower your risk. Related Unit 42 Topics DLL Sideloading, Backdoors, Supply Chain, Cobalt Strike Details of the Attack on Notepad++ This supply chain attack relied on exploiting insufficient verification controls in older versions of the Notepad++ updater, WinGUp. This exploitation allowed the threat group to redirect traffic to attacker-controlled servers. When targeted victims attempted to update their software, they downloaded a malicious NSIS installer. This installer — often named update.exe — initiated a complex infection chain. This chain used DLL sideloading techniques and misused a legitimate Bitdefender component (BluetoothService.exe) to load a malicious library (log.dll) that decrypted and executed a custom backdoor. In another infection chain, attackers utilized an NSIS installer to execute a command to run a malicious Lua script to load Cobalt Strike Beacon. This malware, called Chrysalis, employed advanced evasion techniques. These included: Using Microsoft Warbird code protection framework Custom API hashing to reduce antivirus detection Establishing persistent remote control over infected systems Additional Exploitation Activity in This Campaign Unit 42 observed evidence of two separate attack sequences: One in which a malicious NSIS installer drops a compiled Lua script containing an installer to download and execute a Cobalt Strike Beacon payload One in which attackers used DLL side-loading to inject the Chrysalis backdoor into memory We observed additional activity dating between mid-August and November 2025 that was consistent with this exploitation activity. In an August incident, we observed communication with a command-and-control (C2) IP address 45.76.155[.]202. After days of C2 beacon traffic to this IP address, attackers shifted to a second C2 server at 45.77.31[.]210, with communication lasting until September. In cases between September and November 2025, we observed activity consistent with outbound connections to a C2 server. These were followed by subsequent download requests for update.exe that are consistent with the reported Chrysalis backdoor. In some cases, download attempts were made to an IP address, whereas others were made to domains. Successful beacons to malicious servers occurred within seconds of successful download of the malicious payload and continued for an unspecified amount of time. In September and October 2025, we observed a Lua script injection variant deploying malicious Lua scripts to inject shellcode. This attack used the EnumWindowStationsW API and resulted in the delivery of Cobalt Strike beacon malware. In this case, the download originated from: 45.76.155[.]202/update/update.exe Separately, we also observed a Bluetooth DLL sideloading variant in the same case. This Lua variant uses Bluetooth service DLL sideloading techniques to deploy the Chrysalis backdoor. Download attempts for this variant were made from a different malicious server: 45.32.144[.]255/update/update.exe Interim Guidance Notepad++ recommends the following: Downloading version 8.9.1, which includes the relevant security enhancement Running the installer to update your Notepad++ manually According to Notepad++, they have migrated their website to a new hosting provider with significantly stronger security practices. Within Notepad++ itself, they enhanced the WinGup updater in v8.8.9 to verify both the certificate and the signature of the downloaded installer. Additionally, they also note: The XML returned by the update server is now signed (XMLDSig) Certificate and signature verification will be enforced starting with the upcoming version 8.9.2, which they expect to release in about a month Unit 42 Managed Threat Hunting Queries The Unit 42 Managed Threat Hunting team continues to track any signs of misuse or anomalous activity, using Cortex XDR and the XQL queries below. Cortex XDR customers can also use these XQL queries to assist with their investigations or hunting. As the majority of activity likely occurred prior to December 2, we recommend reviewing data retention limits to determine if these queries will be effective in your environment. If available in your environment, you may consider using "cold storage" queries (cold_dataset = xdr_data) to query data beyond hot retention limits. Please note that running queries against cold storage will consume compute units. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 // Name: DLL sideloading via BYO application   // Description: Identifies renamed Bitdefender utility loading a log.dll file   // MITRE TTP ID: T1574.001   config case_sensitive = false   | dataset = xdr_data   | fields actor_process_signature_vendor, actor_process_signature_product, action_module_path, actor_process_image_path, actor_process_image_sha256, agent_os_type, event_type, event_id, agent_hostname, _time, actor_process_image_name   | filter event_type = ENUM.LOAD_IMAGE and agent_os_type = ENUM.AGENT_OS_WINDOWS   | filter actor_process_signature_vendor contains "Bitdefender SRL" and action_module_path contains "log.dll"   | filter actor_process_image_path not contains "Program Files\Bitdefender"   | filter not actor_process_image_name in ("eps.rmm64.exe", "downloader.exe", "installer.exe", "epconsole.exe", "EPHost.exe", "epintegrationservice.exe", "EPPowerConsole.exe", "epprotectedservice.exe", "DiscoverySrv.exe", "epsecurityservice.exe", "EPSecurityService.exe", "epupdateservice.exe", "testinitsigs.exe", "EPHost.Integrity.exe", "WatchDog.exe", "ProductAgentService.exe", "EPLowPrivilegeWorker.exe", "Product.Configuration.Tool.exe", "eps.rmm.exe") 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 // Name: Chrysalis Mutex   // Description: Identifies a Mutex known to be related to the chrysalis backdoor malware   // MITRE TTP ID: T1480.002   config case_sensitive = false   | dataset = xdr_data   | fields _time, agent_hostname, actor_effective_username, actor_process_image_name, actor_process_image_path, actor_process_command_line, event_type, event_sub_type, action_syscall_string_params   | filter event_type = ENUM.SYSTEM_CALL and event_sub_type = ENUM.SYSTEM_CALL_NT_CREATE_MUTANT   | alter mutex = json_extract_scalar(action_syscall_string_params, "$.1")   | filter mutex = "Global\\Jdhfv_1.0.1" 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 // Name: GUP.exe Writing Unusual Files to Temp Folder   // Description: Detects cases where the Notepad++ updater (gup.exe) writes files to a temp folder that that deviate from the normal and expected.   // MITRE TTP ID: T1036.005   config case_sensitive = false   | dataset = xdr_data   | fields _time, agent_hostname, event_type, event_sub_type, action_file_name, action_file_path, actor_effective_username, action_file_extension, action_file_previous_file_path, action_file_sha256, action_file_size, actor_process_image_name, actor_process_image_path, actor_process_command_line, actor_process_image_sha256, causality_actor_process_image_name, causality_actor_process_image_path, os_actor_primary_username, os_actor_process_command_line, os_actor_process_image_name, os_actor_process_image_path, agent_os_type   | filter event_type = ENUM.FILE and event_sub_type = ENUM.FILE_WRITE   | filter lowercase(actor_process_image_name) = "gup.exe" and action_file_sha256 != null   | filter lowercase(actor_process_command_line) !~= "((\\notepad\+\+(?:_?x?\d+?)??|\\nppp?[\.\d]*?(?:portable)??(?:\.x64)??).*?\\plugins|-ihttps:\/\/notepad-plus-plus\.org\/update\/getdownloadurl\.php)" and lowercase(action_file_path) ~= "(\\appdata\\local\\temp\\|\\windows\\temp)" and lowercase(action_file_name) !~= "(npp[\.\d]+?installer)"   | sort desc _time 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 // Name: GUP.exe Downloading Improperly Signed Installer   // MITRE TTP ID: T1036.001   config case_sensitive = false   | dataset = xdr_data   | fields _time, agent_hostname, event_type, event_sub_type, action_process_username, action_process_user_sid, action_process_image_name, action_process_image_path, action_process_image_command_line, action_process_image_sha256, action_process_os_pid, action_process_cwd, action_process_file_info, action_process_file_size, action_process_file_web_mark, action_process_signature_vendor, action_process_signature_product, action_process_signature_status, actor_effective_username, actor_effective_user_sid, actor_process_image_name, actor_process_image_path, actor_process_command_line, actor_process_signature_vendor, actor_process_signature_product, actor_process_signature_status, causality_actor_primary_username, causality_actor_process_image_name, causality_actor_process_image_path, causality_actor_process_command_line, os_actor_primary_username, os_actor_process_image_name, os_actor_process_image_path, os_actor_process_image_command_line, os_actor_process_image_sha256, action_process_instance_id, actor_process_instance_id, causality_actor_process_instance_id, agent_os_type, agent_id   | filter event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_START and _product = "XDR agent" and _vendor = "PANW"   | filter lowercase(actor_process_image_name) = "gup.exe" and actor_process_signature_status not in (null, ENUM.UNSUPPORTED, ENUM.FAILED_TO_OBTAIN ) and action_process_signature_status not in (null, ENUM.UNSUPPORTED, ENUM.FAILED_TO_OBTAIN ) and action_process_image_sha256 not in ( "71431fa7b66f8132453e18e3a5f8ef0af3ca079a7793f828df06fdb5d7bd915d", "2dd5473736ef51e4340cae005e3fc8cdf0e42ec649bc6ed186484a79be409928", "a19aa1cd7ecb9ca3f1fd0e118fffd0d673fba404ced8c39c2e210a63b70f9c15", "e22abc9af328d063e652f0829819124a6a748c224bc8b10f98473f87cda2c0cd", "61c3077b989e272117167c90fc35e7f06bea4f992f3395b40ccee083d7258082", "49d2531893b09cb6a8e3429ca0a734e871a2d96fa2575c0eec3229d383fa233a", "32aa12d3c9521477a5a1e086e400ec0f77f8a97a8190806a0f1953688b883cfb", "8117c82a3821965d92ee3f9f3ae10efcd602bd4b6e52a2fe957d70aafe479744", "05abc57952974d08feafa399d6fdb37945a3fd0a10f37833dd837a5788e421d5", "c6d1e5aacbf69aa18df4caf1346fd69638491a5ad0085729bae91c662d1c62bb", "e1df78704001bba1a3d343f62a1242a4484ff6ad269170714263c03b802eb0b1", "7094a07167648628e47249a16d9d6db922e5aa1255ac4322a2e4900d233372dd" )   | filter lowercase(action_process_image_name) ~= "(npp[\.\d]+?installer)"   | dedup agent_id by desc _time   | filter action_process_signature_status != ENUM.SIGNED or lowercase(action_process_signature_vendor) != "notepad++"   | sort desc _time 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 // Name: GUP.exe Spawning Unusual Subprocesses   // Description: Detects cases where the Notepad++ updater (gup.exe) spawns child processes that deviate from the normal and expected.   // MITRE TTP ID: T1202   config case_sensitive = false   | dataset = xdr_data   | fields _time, agent_hostname, event_type, event_sub_type, action_process_username, action_process_user_sid, action_process_image_name, action_process_image_path, action_process_image_command_line, action_process_image_sha256, action_process_os_pid, action_process_cwd, action_process_file_info, action_process_file_size, action_process_file_web_mark, action_process_signature_vendor, action_process_signature_product, action_process_signature_status, actor_effective_username, actor_effective_user_sid, actor_process_image_name, actor_process_image_path, actor_process_command_line, actor_process_signature_vendor, actor_process_signature_product, actor_process_signature_status, causality_actor_primary_username, causality_actor_process_image_name, causality_actor_process_image_path, causality_actor_process_command_line, os_actor_primary_username, os_actor_process_image_name, os_actor_process_image_path, os_actor_process_image_command_line, os_actor_process_image_sha256, action_process_instance_id, actor_process_instance_id, causality_actor_process_instance_id, agent_os_type, agent_id   | filter event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_START   | filter lowercase(actor_process_image_name) = "gup.exe"   | filter lowercase(action_process_image_name) !~= "(npp[\.\d]+?installer|consent\.exe|explorer\.exe|werfault\.exe|smartscreen\.exe|adminbyrequest\.exe|openwith\.exe)" and lowercase(action_process_image_command_line) !~= "(https:\/\/notepad-plus-plus\.org\/|https:\/\/npp-user-manual\.org\/)" and lowercase(actor_process_command_line) !~= "(\\notepad\+\+\\plugins|https:\/\/notepad-plus-plus\.org\/)"   | sort desc _time Conclusion This campaign marks a notable evolution in the operational tradecraft of threat actors of this type, representing a pivot from broad infrastructure pre-positioning to highly targeted “soft” supply chain interdiction. Recent campaigns from groups like Volt Typhoon and Salt Typhoon have focused primarily on compromising critical infrastructure backbones and edge devices, relying on living-off-the-land techniques and minimal malware. This operation instead illuminates a distinct strategic priority of focusing on administrative keyholders. Hijacking the traffic flow of a trusted utility rather than injecting code into the software build pipeline allowed the threat actors to weaponize their delivery mechanism without alerting the vendor. This adversary-in-the-middle (AitM) capability allowed for dynamic fingerprinting of incoming update requests, enabling for highly selective filtering of priority targets. This campaign is not focused on disruption, but on long-term valuable intelligence. This is illustrated by the combination of the threat actor’s selective victimology — focused on system administrators and developers in many geopolitically strategic regions — and their choice to use a lightweight backdoor with a low-profile. Palo Alto Networks has shared our findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance. Palo Alto Networks customers are better protected by our products, as listed below. We will update this threat brief as more relevant information becomes available. Palo Alto Networks Product Protections Palo Alto Networks customers can leverage a variety of product protections and updates to identify and defend against this threat. If you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call: North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42) UK: +44.20.3743.3660 Europe and Middle East: +31.20.299.3130 Asia: +65.6983.8730 Japan: +81.50.1790.0200 Australia: +61.2.4062.7950 India: 000 800 050 45107 South Korea: +82.080.467.8774 Advanced WildFire Advanced WildFire machine-learning models and analysis techniques have been reviewed and updated in light of the indicators shared in this research. Next-Generation Firewalls With Advanced Threat Prevention Next-Generation Firewall with the Advanced Threat Prevention is designed to defend networks against both commodity threats and targeted threats. Cloud-Delivered Security Services for the Next-Generation Firewall Advanced URL Filtering and Advanced DNS Security identify known URLs and domains associated with this activity as malicious. Cortex XDR and XSIAM Cortex XDR and XSIAM help to prevent the threats described in this article by employing the Malware Prevention Engine. This approach combines several layers of protection, including Advanced WildFire, Behavioral Threat Protection and the Local Analysis module, to prevent both known and unknown malware from causing harm to endpoints. Cortex Cloud Organizations using Cortex Cloud, such as those within the cloud hosting industry which were actively targeted during this campaign, are better protected from the downloading and execution of the malware mentioned within this article through the proper placement of Cortex Cloud XDR endpoint agent and serverless agents within a cloud environment. Designed to protect a cloud’s posture and runtime operations against these threats, Cortex Cloud helps detect and prevent the malicious operations or configuration alterations or exploitations discussed within this article. Indicators of Compromise 1f6d28370f4c2b13f3967b38f67f77eee7f5fba9e7743b6c66a8feb18ae8f33e a3cf1c86731703043b3614e085b9c8c224d4125370f420ad031ad63c14d6c3ec a511be5164dc1122fb5a7daa3eef9467e43d8458425b15a640235796006590c9 skycloudcenter[.]com self-dns[.]it[.]com safe-dns[.]it[.]com cdncheck[.]it[.]com 95[.]179[.]213[.]0 45[.]76[.]155[.]202 45[.]77[.]31[.]210 61[.]4[.]102[.]97 59[.]110[.]7[.]32 95[.]179[.]213[.]0/update/AutoUpdater.exe 95[.]179[.]213[.]0/update/Upgrade.exe 45[.]32[.]144[.]255/update/update.exe 45[.]76[.]155[.]202/update/update.exe 59[.]110[.]7[.]32/dpixel self-dns[.]it[.]com/help/Get-Start self-dns[.]it[.]com/resolve self-dns[.]it[.]com/dns-query safe-dns[.]it[.]com/help/Get-Start safe-dns[.]it[.]com/resolve safe-dns[.]it[.]com/dns-query Back to top TAGS Backdoor Cobalt Strike DLL Sideloading Supply chain Threat Research Center Next: A Peek Into Muddled Libra’s Operational Playbook TABLE OF CONTENTS Executive Summary Details of the Attack on Notepad++ Additional Exploitation Activity in This Campaign Interim Guidance Unit 42 Managed Threat Hunting Queries Conclusion Palo Alto Networks Product Protections Advanced WildFire Next-Generation Firewalls With Advanced Threat Prevention Cloud-Delivered Security Services for the Next-Generation Firewall Cortex XDR and XSIAM Cortex Cloud Indicators of Compromise RELATED ARTICLES Suspected China-Based Espionage Operation Against Military Targets in Southeast Asia An Investigation Into Years of Undetected Operations Targeting High-Value Sectors Exploitation of Critical Vulnerability in React Server Components (Updated December 12) Related Malware Resources THREAT RESEARCH February 13, 2026 Phishing on the Edge of the Web and Mobile Using QR Codes Phishing QR Codes Social engineering Read now THREAT RESEARCH January 22, 2026 The Next Frontier of Runtime Assembly Attacks: Leveraging LLMs to Generate Phishing JavaScript in Real Time API DeepSeek Google Read now THREAT RESEARCH January 2, 2026 VVS Discord Stealer Using Pyarmor for Obfuscation and Detection Evasion Discord Infostealer Python Read now THREAT RESEARCH March 12, 2026 Suspected China-Based Espionage Operation Against Military Targets in Southeast Asia Advanced Persistent Threat AppleChris Backdoor Read now THREAT RESEARCH March 10, 2026 Auditing the Gatekeepers: Fuzzing "AI Judges" to Bypass Security Controls AI Fuzzing LLM Read now THREAT RESEARCH March 6, 2026 An Investigation Into Years of Undetected Operations Targeting High-Value Sectors CL-UNK-1068 DLL Sideloading Fast Reverse Proxy Read now THREAT RESEARCH March 3, 2026 Fooling AI Agents: Web-Based Indirect Prompt Injection Observed in the Wild Agentic AI GenAI Indirect Prompt Injection Read now HIGH PROFILE THREATS March 2, 2026 Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran APK DDoS attacks GenAI Read now THREAT RESEARCH March 2, 2026 Taming Agentic Browsers: Vulnerability in Chrome Allowed Extensions to Hijack New Gemini Panel CVE-2026-0628 GenAI Google Chrome Read now THREAT RESEARCH February 13, 2026 Phishing on the Edge of the Web and Mobile Using QR Codes Phishing QR Codes Social engineering Read now THREAT RESEARCH January 22, 2026 The Next Frontier of Runtime Assembly Attacks: Leveraging LLMs to Generate Phishing JavaScript in Real Time API DeepSeek Google Read now THREAT RESEARCH January 2, 2026 VVS Discord Stealer Using Pyarmor for Obfuscation and Detection Evasion Discord Infostealer Python Read now THREAT RESEARCH March 12, 2026 Suspected China-Based Espionage Operation Against Military Targets in Southeast Asia Advanced Persistent Threat AppleChris Backdoor Read now THREAT RESEARCH March 10, 2026 Auditing the Gatekeepers: Fuzzing "AI Judges" to Bypass Security Controls AI Fuzzing LLM Read now THREAT RESEARCH March 6, 2026 An Investigation Into Years of Undetected Operations Targeting High-Value Sectors CL-UNK-1068 DLL Sideloading Fast Reverse Proxy Read now THREAT RESEARCH March 3, 2026 Fooling AI Agents: Web-Based Indirect Prompt Injection Observed in the Wild Agentic AI GenAI Indirect Prompt Injection Read now HIGH PROFILE THREATS March 2, 2026 Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran APK DDoS attacks GenAI Read now THREAT RESEARCH March 2, 2026 Taming Agentic Browsers: Vulnerability in Chrome Allowed Extensions to Hijack New Gemini Panel CVE-2026-0628 GenAI Google Chrome Read now THREAT RESEARCH February 13, 2026 Phishing on the Edge of the Web and Mobile Using QR Codes Phishing QR Codes Social engineering Read now THREAT RESEARCH January 22, 2026 The Next Frontier of Runtime Assembly Attacks: Leveraging LLMs to Generate Phishing JavaScript in Real Time API DeepSeek Google Read now THREAT RESEARCH January 2, 2026 VVS Discord Stealer Using Pyarmor for Obfuscation and Detection Evasion Discord Infostealer Python Read now