It was recently confirmed what many feared: a very popular text editor among developers and advanced users was used as a vector to introduce malware into target machines. The culprit was not a vulnerability of Notepad + + itself, but an intrusion at the level of the supplier hosting its updates, which allowed an actor linked to China to redirect selective traffic and provide a manipulated update to certain users.
The Rapid7 incident response firm published a detailed analysis in which it documents how the attacker took advantage of that opportunity window to deliver a backdoor until then unknown, baptized as Chrysalis. The report brings together technical evidence on the sample, its implementation chain and the techniques used to execute it and to persist in compromised systems. You can read Rapid7's full report here: Rapid7 - TR: Chrysalis backdoor.
According to the investigation, the observed sequence began with the legitimate execution of Notepad + + and its update (GUP.exe). Then a installer called update.exe was downloaded and released from an IP controlled by the attackers. That installer is a NSIS package that includes several components: a renowned executable that serves to perform DLL ide-loading, a malicious DLL in charge of deciphering and running shellcode, and itself payload ofuscado, Chrysalis.
The technique of DLL ide-loading is not new and has often been used by state-supported groups. It's to take advantage of the way a legitimate application loads dynamic libraries to force the load of a malicious DLL with the same name as a expected dependence. Rapid7 points out that in this case legitimate binaries of security providers were reused as part of the deception, a tactic that also appeared in campaigns previously documented by Broadcom / Symantec against the same actor known by several aliases, including Lotus Blossom or Billbug.
Chrysalis, for its part, is a sophisticated implant: it collects system information and contacts a command and control server (C2) for additional instructions. Although the C2 documented in the analysis no longer responds, the backdoor code reveals capabilities to open an interactive shell, create processes, manage files, upload and download data, and even uninstall. Rapid7 also found in the package components designed to load a Cobalt Strike payload using a custom charger that incorporates the well-known Metasploit block API, whose repository is publicly available: Metasploit - block _ api.asp.
Another relevant finding is the use of undocumented ofuscation and protection techniques, such as the abuse of an internal Microsoft tool called Warbird for the execution of shellcode in kernel mode, adapted from a concept test published by German researchers. The work of Cirosec describing this abuse can be found here: Cirosec - Abusing Microsoft Warbird, and an additional analysis of Warbird appears in this technical article: Websec - Microsoft Warbird deep dive.
The attribution proposed by Rapid7 links this set of tools and tactics to the actor known as Lotus Blossom, based on similarities with previous campaigns: the re-use of legitimate executables for DLs sideloading, the pattern of custom payloads along with commercial frameworks such as Cobalt Strike, and the rapid adoption of public techniques by the attacker. Broadcom / Symantec had already documented the activities of this actor in April 2025, which fits the evolution shown now.
From the perspective of the Notepad + + community, maintenance Don Ho noted that the intrusion occurred at the host level and allowed selective redirections of the update traffic since June 2025; the organization patched the weakness and published a secure version in December 2025. The team migrated to a new accommodation provider and rotated credentials, which are the first logical step after discovering an intrusion into the supply chain. You can check the Notepad + + project release page to check official versions and notes: Notepad + + - Releases.
It is important to stress that, according to Rapid7, there is no evidence that the update mechanism was used in a massive way to distribute malware to the entire user base; the actor performed selective redirections and technical confirmation of the infection is limited to specific systems where abnormal executions were observed. Yet a campaign directed at specific users of such a widespread application illustrates the danger of supply chain attacks, where confidence in the integrity of updates can become a vector of commitment.
The news has generated coverage in specialized media that have followed the technical details and impact on users: among others, BleepingComputer published an accessible summary of what happened and recommendations for those affected. You can read more at: BleepingComputer - Notepad + + users targeted.
What practical lessons does this incident leave? First, the importance of verifying the authenticity of the updates and of preferring robust cryptographic signature and validation mechanisms. Secondly, the urgency of ensuring not only the software, but the entire distribution chain: hosting providers, repositories and publishing processes must be treated as part of the security perimeter. And third, the attackers continue to mix their own tools with known commercial frameworks and public research, which accelerates their ability to evade conventional detections.
If you are a Notepad + + user or any critical application, it is appropriate to check that you are in the most recent version published after mitigation, reinstall from official sources and, where possible, enable the validation of signatures or check amounts offered by developers. For corporate teams, the recommendation is to review records, look for signs of unexpected executables (such as updates downloaded from foreign PIs) and, if necessary, rebuild compromised systems from clean images.
This episode brings a disturbing reality to the fore: protecting popular software requires looking beyond the code and ensuring every link in the distribution chain. While resource groups continue to sophisticate their arsenal, the best defense is a combination of technical controls, rigorous processes and constant monitoring.
Safety alert Drug critical vulnerability of SQL injection in PostgreSQL requires immediate update
Drucal has published safety updates for a vulnerability qualified as "highly critical" which affects Drumal Core and allows an attacker to achieve arbitrary SQL injection in sit...
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...