Notepad++ Update Feature Hijacked by Chinese State Hackers for Months

Introduction

Software updates are meant to protect users. But what happens when the update mechanism itself becomes the attack vector?

Between June and December 2025, the developer of the popular open source text editor Notepad++ confirmed that hackers hijacked the software to deliver malicious updates to users. Notepad++ is a free, open-source editor for text and source code, and a popular tool on Windows, with tens of millions of users across the world.

A China-linked threat actor known as Lotus Blossom, has been attributed with medium confidence to the recently discovered compromise of the infrastructure hosting Notepad++. They are a long-running espionage group known to work for China, that hacks targeted government, telecom, aviation, critical infrastructure, and media sectors.

Vulnerability Summary

TLP | Green
CVSS Score | 7.7
CVSS v4 | AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
MITRE ATT&CK | Tactic: TA0001-Initial Access / Technique: T1195-Supply Chain Compromise
CVE | CVE-2025-15556
Severity | High

Detailed Analysis

A supply chain vulnerability in older versions of Notepad++ allowed attackers to hijack the software's update mechanism by exploiting insufficient cryptographic verification controls in the WinGUp (GUP.exe) updater. After compromising the hosting provider's infrastructure, the attackers were able to intercept and selectively redirect update traffic destined for notepad-plus-plus.org to malicious servers, delivering tampered update packages to targeted users without modifying the official source code.

This weakness enabled the threat actor (Lotus Blossom) to deploy a custom backdoor (Chrysalis) via trusted update processes, leading to potential remote code execution, persistent access, and post-compromise reconnaissance on affected systems.

Analysis of the incident has uncovered no evidence or artifacts to suggest that the site's plugin or updater-related mechanisms were exploited to distribute malware.

"The only confirmed behaviour is that execution of 'notepad++.exe' and subsequently 'GUP.exe' preceded the execution of a suspicious process 'update.exe' which was downloaded from 95.179.213.0," security researcher Ivan Feigl said.

"Update.exe" is a Nullsoft Scriptable Install System (NSIS) installer that contains multiple files -

• An NSIS installation script

• BluetoothService.exe, a renamed version of Bitdefender Submission Wizard that's used for DLL side-loading (a technique widely used by Chinese hacking groups)

• BluetoothService, encrypted shellcode (aka Chrysalis)

• log.dll, a malicious DLL that's sideloaded to decrypt and execute the shellcode

Chrysalis is a bespoke, feature-rich implant that gathers system information and contacts an external server ("api.skycloudcenter[.]com") to likely receive additional commands for execution on the infected host.

The command-and-control (C2) server is currently offline. However, a deeper examination of the obfuscated artifact has revealed that it's capable of processing incoming HTTP responses to spawn an interactive shell, create processes, perform file operations, upload/download files, and uninstall itself.

"Overall, the sample looks like something that has been actively developed over time," Rapid7 said, adding it also identified a file named "conf.c" that's designed to retrieve a Cobalt Strike beacon by means of a custom loader that embeds Metasploit block API shellcode.

Remediation and Fixes

Following the confirmation of the breach in December 2025, Notepad++ implemented immediate and comprehensive corrective measures to contain the incident, by migrating all update infrastructure to a new hosting provider with enhanced security controls.

Users are also strongly advised to upgrade to Notepad++ v8.8.9 which now includes XML signature validation (XMLDSig) or later and remain vigilant for abnormal update behavior. In addition, the Notepad++ development team has announced that version 8.9.2 will enforce non-optional certificate signature validation, significantly reducing the risk of future update-channel abuse and strengthening supply chain resilience.

Lastly, organizations should treat software update mechanisms as high-risk supply chain components, enforce update integrity checks, monitor endpoint process chains, and incorporate third-party infrastructure into their security risk assessments.

Broader Implications for Organisations

This attack illustrates a pattern that security teams must internalise: supply chain compromise does not require breaking into the software you trust — it requires breaking into the infrastructure that delivers it. Lotus Blossom did not touch a single line of Notepad++ source code. They simply stood between the update server and the user.

Organisations should treat all software update mechanisms as high-risk supply chain components, not as trusted background processes. Specific actions to consider include: enforcing update integrity checks across all third-party tooling deployed in the environment; monitoring endpoint process chains for anomalous parent-child relationships, particularly where legitimate executables spawn unexpected child processes; incorporating third-party hosting providers and update infrastructure into organisational security risk assessments; and deploying endpoint detection and response (EDR) tooling capable of identifying DLL side-loading behaviour and suspicious shellcode execution patterns.

How BridgeLynk Can Help

Supply chain attacks are among the most difficult threats to detect and defend against because they exploit trust — in software vendors, update mechanisms, and the tools organisations rely on every day. BridgeLynk helps organisations understand their supply chain attack surface, build detection capabilities for advanced persistent threats like Lotus Blossom, and develop the security maturity needed to respond when trusted tools become vectors. Speak to our team or explore our attack-informed defence services to learn more.