Notepad++ backdoored for months by China-linked attackers
Hijacked Notepad++ update installed a “sophisticated and permanent" backdoor that sideloaded malware.
Open Source
Chinese-linked hackers operated a backdoor in popular source and text code editor Notepad++ for more than six months sideloading persistent malware, according to security researchers.
Open source Windows-based code editor Notepad++ said independent researchers had pointed the finger at China for the attack, which targeted the update process for specific users from June until December 2, 2025.
In a blog post dated February 2, Notepad++ developer Don Ho said: “The compromise occurred at the hosting provider level rather than through vulnerabilities in Notepad++ code itself. Traffic from certain targeted users was selectively redirected.”
A CISA spokesperson told Reuters, the agency "is aware of the reported compromise and is investigating possible exposure across the United States Government (USG)."
Redirecting update traffic
The backdoor issue affected traffic to the Notepad++ updater WinGUp. Targeted users attempting to update the popular code and text editor were redirected to malicious servers that prompted them to download an illegitimate Notepad++ update binary.
Research by cybersecurity firm Rapid7 found the download included an NSIS installer which sideloaded a malicious DLL and encrypted shellcode for the installation of the backdoor, dubbed "Chrysalis."
The attackers had access to the hosting server used for Notepad++ updates from June 2025 until December 2, 2025. Rapid7 attributes the attack with "moderate confidence" to Lotus Blossom.
Ivan Feigl, author of the Rapid7 blog, said the "sophisticated and permanent tool" used legitimate binaries to sideload the DLL, custom API hashing, layered obfuscation, and structured C2 communication.
Attacks and remediation
Once fully activated, Chrysalis established an internet connection with a user agent and C2 api.skycloudcenter.com to transfer data.
Notepad++ had first raised the issue in December after it received reports of traffic hijacking, it patched WinGUp’s security practices to verify the certificate and signature of the downloaded installer and has migrated to a new hosting provider “with significantly stronger security practices.”
The Notepad++ team initially said on Monday they had not been able to identify clear IoCs for the attack, "While signs of an intrusion were identified, no concrete indicators of compromise (...) We also requested IoCs directly from the former hosting provider, but we were not able to obtain any."
Rapid7's more in depth investigation shared file indicators, network indicators and MITRE TTPs, however the researchers concurred that "no definitive artifacts were identified to confirm exploitation."
Notepad++ IoCs
File indicators
|
update.exe |
a511be5164dc1122fb5a7daa3eef9467e43d8458425b15a640235796006590c9 |
|
[NSIS.nsi] |
8ea8b83645fba6e23d48075a0d3fc73ad2ba515b4536710cda4f1f232718f53e |
|
BluetoothService.exe |
2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924 |
|
BluetoothService |
77bfea78def679aa1117f569a35e8fd1542df21f7e00e27f192c907e61d63a2e |
|
log.dll |
3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad |
|
u.bat |
9276594e73cda1c69b7d265b3f08dc8fa84bf2d6599086b9acc0bb3745146600 |
|
conf.c |
f4d829739f2d6ba7e3ede83dad428a0ced1a703ec582fc73a4eee3df3704629a |
|
libtcc.dll |
4a52570eeaf9d27722377865df312e295a7a23c3b6eb991944c2ecd707cc9906 |
|
admin |
831e1ea13a1bd405f5bda2b9d8f2265f7b1db6c668dd2165ccc8a9c4c15ea7dd |
|
loader1 |
0a9b8df968df41920b6ff07785cbfebe8bda29e6b512c94a3b2a83d10014d2fd |
|
uffhxpSy |
4c2ea8193f4a5db63b897a2d3ce127cc5d89687f380b97a1d91e0c8db542e4f8 |
|
loader2 |
e7cd605568c38bd6e0aba31045e1633205d0598c607a855e2e1bca4cca1c6eda |
|
3yzr31vk |
078a9e5c6c787e5532a7e728720cbafee9021bfec4a30e3c2be110748d7c43c5 |
|
ConsoleApplication2.exe |
b4169a831292e245ebdffedd5820584d73b129411546e7d3eccf4663d5fc5be3 |
|
system |
7add554a98d3a99b319f2127688356c1283ed073a084805f14e33b4f6a6126fd |
|
s047t5g.exe |
fcc2765305bcd213b7558025b2039df2265c3e0b6401e4833123c461df2de51a |
Network indicators
|
95.179.213.0 |
|
api[.]skycloudcenter[.]com |
|
api[.]wiresguard[.]com |
|
61.4.102.97 |
|
59.110.7.32 |
|
124.222.137.114 |
MITRE TTPs
|
ATT&CK ID |
Name |
|
T1204.002 |
User Execution: Malicious File |
|
T1036 |
Masquerading |
|
T1027 |
Obfuscated Files or Information |
|
T1027.007 |
Obfuscated Files or Information: Dynamic API Resolution |
|
T1140 |
Deobfuscate/Decode Files or Information |
|
T1574.002 |
DLL Side-Loading |
|
T1106 |
Native API |
|
T1055 |
Process Injection |
|
T1620 |
Reflective Code Loading |
|
T1059.003 |
Command and Scripting Interpreter: Windows Command Shell |
|
T1083 |
File and Directory Discovery |
|
T1005 |
Data from Local System |
|
T1105 |
Ingress Tool Transfer |
|
T1041 |
Exfiltration Over C2 Channel |
|
T1071.001 |
Application Layer Protocol: Web Protocols (HTTP/HTTPS) |
|
T1573 |
Encrypted Channel |
|
T1547.001 |
Boot or Logon Autostart Execution: Registry Run Keys |
|
T1543.003 |
Create or Modify System Process: Windows Service |
|
T1480.002 |
Execution Guardrails: Mutual Exclusion |
|
T1070.004 |
Indicator Removal on Host: File Deletion |
*IOCs contributed by @AIexGP on X.