A shared hosting server hosting notepad-plus-plus.org was compromised at the infrastructure level, allowing attackers to intercept and redirect update check traffic. The attacker did not exploit Notepad++ code itself — they exploited the trust boundary between the application and its update delivery mechanism. Absence of cryptographic verification on the update manifest XML (XMLDSig) made the poisoning undetectable to end users. Credentials for internal hosting services persisted in attacker hands for three months after server access was lost, enabling continued traffic redirection from September through December 2025.
Notepad++ migrated to a new hosting provider. WinGup (the updater) enhanced in v8.8.9 to verify both certificate and signature of downloaded installers. XMLDSig signing enforced on update server responses starting v8.9.2. Rapid7 published full technical analysis of the Chrysalis backdoor. Kaspersky and other researchers contributed IoCs. No concrete IoCs (binary hashes, domains, IPs) were recovered from the ~400GB of analyzed server logs — the attackers operated cleanly enough to leave only log patterns, not artifacts.
The Museum Placard
A text editor used by tens of millions of developers worldwide — including those in government, defense, and critical infrastructure — became a precision delivery vehicle for a Chinese state-sponsored backdoor. The attackers never touched the Notepad++ source code. They didn't need to. They owned the road the updates traveled.
This is not a story about a vulnerable application. It is a story about a trust assumption so old, so universal, and so unexamined that it became invisible.
---
The Architecture of Trust
Notepad++ has been downloaded over 500 million times. It runs on the desktops of security researchers, DevOps engineers, government analysts, and system administrators. The application's auto-update mechanism — WinGup — performed a simple, reasonable operation: it called home to notepad-plus-plus.org/update/getDownloadUrl.php and asked what version was current.
The response was XML. The XML contained a download URL. WinGup fetched from that URL and ran the installer.
No signature verification on the XML. No certificate pinning on the update endpoint. Just an HTTP call and implicit trust.
This is not unusual. It is, in fact, how most consumer software updaters worked for most of software history. The trust assumption was: if you reach the official server, you're safe. The assumption held until the server was no longer exclusively official.
---
The Compromise Timeline
June 2025. A shared hosting server — one among many — hosting notepad-plus-plus.org is compromised. The attacker is later attributed with moderate confidence to Lotus Blossom, a Chinese APT group active since 2009, known for targeted espionage across Southeast Asia, government, telecom, aviation, and critical infrastructure.
The attackers do not deface the site. They do not steal source code. They position themselves in the traffic flow.
June – September 2, 2025. Selective users receive poisoned update manifests. The XML returned by the update endpoint points not to the legitimate installer but to an attacker-controlled server at 95.179.213.0. The "update" delivered is update.exe — an NSIS installer packaging the Chrysalis backdoor.
September 2, 2025. The hosting provider performs scheduled kernel and firmware maintenance. The attackers lose direct server access.
September 2 – December 2, 2025. The attackers still hold credentials to internal hosting services. They continue redirecting update traffic for three additional months using only stolen credentials — no server access required. The persistence of a valid credential is sufficient to extend a six-month operation.
December 2, 2025. Hosting provider rotates all credentials. Attack ceases.
February 2026. Don Ho (Notepad++ author) publishes the incident disclosure. Rapid7 publishes the Chrysalis analysis the same day. The world learns what happened — approximately eight months after it began.
---
The Chrysalis Backdoor: Anatomy
The delivered payload is not a quick-and-dirty RAT. It is a mature, actively developed implant demonstrating significant engineering investment.
Delivery chain:
1. update.exe (NSIS installer) extracts three files into %AppData%\Bluetooth\ and marks the directory HIDDEN
2. BluetoothService.exe — a renamed, legitimate Bitdefender Submission Wizard binary — is executed
3. log.dll is sideloaded in place of the legitimate library Bitdefender expects
4. log.dll loads and decrypts encrypted shellcode from BluetoothService (the payload file)
5. Decrypted shellcode is the Chrysalis backdoor main module
Why DLL sideloading with a legitimate antivirus binary? Because security products are less likely to flag execution chains originating from signed, trusted vendor binaries. The attacker weaponized the same halo of trust that surrounds legitimate security software.
The Chrysalis capability set:
| Command | Capability |
|---------|-----------|
| 4T | Interactive reverse shell (cmd.exe with piped I/O) |
| 4V | Remote process execution via CreateProcessW |
| 4W/4X | Arbitrary file write to victim system |
| 4Y | File read and exfiltration to C2 |
| 4 | Directory enumeration with metadata |
| 4d | Chunked file upload to C2 |
| 4_ | Logical drive enumeration |
| 4\ | Full self-removal (files, services, registry, batch-executed cleanup) |
This is a complete remote access toolkit. The self-removal command (4\) is particularly notable — it generates a temporary batch script (u.bat) that deletes the running executable after process termination, leaving minimal forensic artifacts. The IR team analyzed ~400GB of server logs and found no concrete IoCs: no binary hashes, no domains, no IPs recoverable from log data alone.
C2 traffic masquerade: The C2 URL path structure — /a/chat/s/{GUID} — mimics the DeepSeek API chat endpoint format. The attackers designed their command-and-control communications to blend into environments where DeepSeek API traffic is normalized. This is not an afterthought. It is a deliberate operational security choice that reflects awareness of modern SOC traffic analysis patterns.
The Warbird loader (ConsoleApplication2.exe): One additional loader variant exploited Microsoft Warbird — an internal code protection framework — via an undocumented NtQuerySystemInformation parameter (SystemCodeFlowTransition, 0xB9). This technique causes shellcode execution to occur inside the memory space of a Microsoft-signed binary (clipc.dll`), defeating memory protection tools that track execution origin. The technique was documented by researchers but had not been observed in active APT tooling prior to this campaign.
---
The Six Laws at Work
Law I — Boundary Collapse
The boundary between "legitimate update traffic" and "attacker-controlled update traffic" was invisible to the end user and unverifiable by the application. The update mechanism's trust boundary extended only as far as the hostname — not to the content or the server's integrity. When the hosting server fell, the boundary collapsed silently.
Law III — Transitive Trust
Users trusted Notepad++. Notepad++ trusted its hosting provider. The hosting provider's shared server was compromised. The attack traveled the full trust chain to end-user workstations without violating a single user's direct relationship with the software they installed. Every link in the chain was legitimate. The chain itself was the vulnerability.
Law V — Temporal Coupling
The most damaging phase of this attack — credential-based traffic redirection — occurred after the primary breach was remediated. Server access was lost September 2. The attack continued until December 2. Three months of continued operation from nothing but a valid credential. The system's security model coupled "remediation" to "server access revocation" but decoupled it from "credential revocation." The temporal gap between these two actions was the extended kill window.
Law VII — Katie's Law
Why did the update mechanism lack XMLDSig verification? Why was the hosting configuration shared rather than isolated? Why were credentials not rotated immediately upon breach detection? Each of these was a rational optimization at the time it was made. Signing manifests is overhead. Dedicated hosting is expensive for a solo open-source project. Credential rotation is disruptive. Every shortcut was reasonable. Every shortcut became load-bearing. The accumulated weight of rational laziness held the attack window open for six months.
---
What Should Have Stopped This
What would have worked:
1. XMLDSig signing on update manifests — implemented in v8.9.2, after the breach. The update XML returned by the server now carries a cryptographic signature verified against a pinned certificate. A poisoned manifest without the valid signature is rejected.
2. Dedicated (non-shared) hosting — shared hosting creates blast radius. Any tenant on the same server inherits the exposure of every other tenant.
3. Credential rotation as an immediate breach response trigger — the three-month extension of attacker access was entirely credential-based. Automated credential rotation upon suspected infrastructure compromise would have terminated this phase on September 2, not December 2.
4. Update integrity verification independent of DNS/transport — certificate pinning, binary hash validation, or reproducible build verification would make poisoned delivery detectable client-side regardless of what the server returns.
What would not have worked:
- Antivirus scanning of the delivered binary: the payload was sideloaded through a legitimate, signed Bitdefender binary
- Network monitoring for suspicious C2 traffic: the C2 was disguised as DeepSeek API chat traffic
- Log analysis post-breach: 400GB of logs yielded no concrete IoCs
---
The Wider Pattern
This is the third major software distribution compromise in five years targeting developer toolchains:
- CCleaner (2017): Build pipeline infected; signed malware distributed to 2.27M users
- SolarWinds SUNBURST (2020): Build system compromised; signed updates delivered to 18,000 organizations
- 3CX (2023): Supply chain attack via a compromised upstream dependency
- XZ Utils (2024): Insider threat inserted backdoor into compression library
- Notepad++ (2025): Infrastructure compromise redirected update traffic
The pattern is consistent: attackers move upstream. The target is not the application. The target is the distribution mechanism — because that is where trust is unconditional and verification is absent.
The question is not whether your software has vulnerabilities. It is whether the path your software travels from developer to your machine has been verified at every hop.
---
Curator's Note
Lotus Blossom has been active since 2009. This campaign shows an organization that has had sixteen years to refine its tradecraft. The deliberate choice to mimic DeepSeek API traffic — a relatively new AI service — indicates real-time adaptation to defender monitoring patterns. The use of the Warbird technique — exploiting an undocumented Windows kernel feature documented only in a niche security research blog post — suggests a team that tracks the leading edge of offensive research and operationalizes it quickly.
This is not opportunistic. This is patient, precise, and professional.
The exhibit is dedicated to the solo developer who maintained a 500-million-download open source project on shared hosting — and who responded to a state-level attack with transparency, technical rigor, and a public disclosure that gave the security community everything he had.
EFFODE · LEGE · INTELLEGE