In this article
Overview
Software updates are a cornerstone of good security hygiene. But what happens when the update mechanism itself becomes the attack vector? Between June and December 2025, the infrastructure hosting the widely used text editor Notepad++ was compromised by Lotus Blossom — a long-running Chinese state espionage group. The attackers hijacked the software's update feature to silently deliver a sophisticated custom backdoor, named Chrysalis, to targeted users across government, telecommunications, aviation, critical infrastructure, and media sectors. The attack exploited a cryptographic verification gap in the WinGUp updater component and represents a significant supply chain compromise affecting tens of millions of potential users globally. CVE-2025-15556 has been assigned with a CVSS score of 7.7.
Vulnerability Summary
CVE: CVE-2025-15556 | CVSS Score: 7.7 (High) | CVSS v4: AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | MITRE ATT&CK: TA0001 – Initial Access / T1195 – Supply Chain Compromise | Threat Actor: Lotus Blossom (China-linked APT) | Attribution Confidence: Medium Notepad++ is a free, open-source text and source code editor for Windows with an estimated user base in the tens of millions. Its WinGUp component (GUP.exe) is responsible for fetching and applying software updates — and it was the absence of cryptographic integrity verification in this component that allowed attackers to intercept and replace legitimate update packages with malicious ones.
How the Attack Unfolded
The attack chain began with Lotus Blossom compromising the hosting provider's infrastructure — not the Notepad++ source code itself. This distinction is important: no malicious code was inserted into Notepad++.exe. Instead, the attackers positioned themselves to intercept and redirect update traffic flowing to notepad-plus-plus.org, selectively serving tampered update packages to targeted users. When an affected user's Notepad++ instance checked for updates, the WinGUp updater (GUP.exe) retrieved a malicious installer — update.exe — from a threat-actor-controlled IP address (95.179.213.0). This installer, built using Nullsoft Scriptable Install System (NSIS), contained four components working together: an NSIS installation script to orchestrate execution; BluetoothService.exe, a renamed legitimate Bitdefender tool used as a carrier for DLL side-loading; an encrypted shellcode payload named BluetoothService (the Chrysalis implant); and log.dll, a malicious DLL that decrypts and executes the Chrysalis shellcode. DLL side-loading — the technique of using a legitimate, signed executable to load a malicious DLL — is a hallmark of Chinese APT tradecraft and helps evade detection by endpoint security tools that trust the signing certificate of the parent executable. Once deployed, Chrysalis gathers detailed system information and beacons to a command-and-control server at api.skycloudcenter[.]com (currently offline). Analysis by Rapid7 has confirmed the implant is capable of spawning interactive shells, creating and terminating processes, performing file operations including upload and download, and uninstalling itself to cover its tracks. A configuration file named conf.c was also identified, designed to retrieve a Cobalt Strike beacon via a custom loader — indicating the attackers intended to use Chrysalis as a foothold for deeper, long-term access.
Remediation and Fixes
Following confirmation of the breach in December 2025, the Notepad++ development team acted quickly. All update infrastructure was migrated to a new hosting provider with enhanced security controls, severing the attackers' ability to intercept further update traffic. Users are strongly advised to upgrade to Notepad++ v8.8.9 immediately. This version introduces XML signature validation (XMLDSig) for update packages, meaning tampered updates will be rejected before installation. Version 8.9.2 — currently in development — will enforce mandatory, non-optional certificate signature validation, further hardening the update channel against future abuse. Organisations should also treat this incident as a prompt to review their broader approach to third-party software update mechanisms, which are an increasingly favoured vector for supply chain attacks.
Broader Implications for Organisations
This attack illustrates a pattern that security teams must internalise: supply chain compromise does not require breaking into the software you trust — it requires breaking into the infrastructure that delivers it. Lotus Blossom did not touch a single line of Notepad++ source code. They simply stood between the update server and the user. Organisations should treat all software update mechanisms as high-risk supply chain components, not as trusted background processes. Specific actions to consider include: enforcing update integrity checks across all third-party tooling deployed in the environment; monitoring endpoint process chains for anomalous parent-child relationships, particularly where legitimate executables spawn unexpected child processes; incorporating third-party hosting providers and update infrastructure into organisational security risk assessments; and deploying endpoint detection and response (EDR) tooling capable of identifying DLL side-loading behaviour and suspicious shellcode execution patterns.
How BridgeLynk Can Help
Supply chain attacks are among the most difficult threats to detect and defend against because they exploit trust — in software vendors, update mechanisms, and the tools organisations rely on every day. BridgeLynk helps organisations understand their supply chain attack surface, build detection capabilities for advanced persistent threats like Lotus Blossom, and develop the security maturity needed to respond when trusted tools become vectors. Speak to our team or explore our attack-informed defence services to learn more.
Our Articles
