Executive Summary

Between June and December 2025, the official hosting infrastructure for the text editor Notepad++ was compromised by a state-sponsored threat group known as Lotus Blossom. The attackers breached the shared hosting provider’s environment.

This allowed the attackers to intercept and redirect traffic destined for the Notepad++ update server. This infrastructure-level hijack enabled the attackers to selectively target specific users. The targets were primarily located in Southeast Asia across government, telecommunications and critical infrastructure sectors. Attackers served these targets malicious update manifests instead of legitimate software updates.

We’ve identified additional unreported infrastructure, which is linked to this campaign. We’ve observed two chains of infection including a Lua script injection variant that resulted in the delivery of Cobalt Strike beacon malware as well as DLL side-loading to deliver a Chrysalis backdoor. Unit 42 also found that this threat activity is targeting more sectors and more regions than previously reported.

This campaign also affected the following sectors in South America, the U.S., Europe and Southeast Asia:

• Cloud hosting
• Energy
• Financial
• Government
• Manufacturing
• Software development

Notepad++ is a lightweight, open-source code editor and text replacement utility. This tool is widely favored for its speed, extensive plugin ecosystem and unique ability to handle massive data files while persisting sessions that users have not yet saved.

In enterprise environments, Notepad++ often serves as a foundational instrument for system administrators, network engineers and DevOps personnel. These personnel commonly use this tool to modify server configurations, parse heavy system logs and audit code on secure jump boxes where heavier applications are impractical.

This specific user demographic makes Notepad++ a strategically critical target for threat actors. Compromising this single tool allows attackers to effectively bypass perimeter defenses and piggyback into the sessions of the most privileged users in the organization, gaining implicit administrative access to the network's core infrastructure.

Palo Alto Networks customers receive protections from and mitigations for the activity discussed in this article in the following ways:

• Advanced URL Filtering and Advanced DNS Security identify known URLs and domains associated with this activity as malicious
• Advanced WildFire machine-learning models and analysis techniques have been reviewed and updated in light of the indicators shared in this research
• Cortex Cloud helps detect and prevent the malicious operations or configuration alterations or exploitations discussed within this article
• Cortex XDR and XSIAM by employing the Malware Prevention Engine
• Next-Generation Firewall with the Advanced Threat Prevention is designed to defend networks against both commodity threats and targeted threats

The Unit 42 Incident Response team can also be engaged to help with a compromise or to provide a proactive assessment to lower your risk.

Details of the Attack on Notepad++

This supply chain attack relied on exploiting insufficient verification controls in older versions of the Notepad++ updater, WinGUp. This exploitation allowed the threat group to redirect traffic to attacker-controlled servers.

When targeted victims attempted to update their software, they downloaded a malicious NSIS installer. This installer — often named update.exe — initiated a complex infection chain. This chain used DLL sideloading techniques and misused a legitimate Bitdefender component (BluetoothService.exe) to load a malicious library (log.dll) that decrypted and executed a custom backdoor. In another infection chain, attackers utilized an NSIS installer to execute a command to run a malicious Lua script to load Cobalt Strike Beacon.

This malware, called Chrysalis, employed advanced evasion techniques. These included:

• Using Microsoft Warbird code protection framework
• Custom API hashing to reduce antivirus detection
• Establishing persistent remote control over infected systems

Additional Exploitation Activity in This Campaign

Unit 42 observed evidence of two separate attack sequences:

• One in which a malicious NSIS installer drops a compiled Lua script containing an installer to download and execute a Cobalt Strike Beacon payload
• One in which attackers used DLL side-loading to inject the Chrysalis backdoor into memory

We observed additional activity dating between mid-August and November 2025 that was consistent with this exploitation activity. In an August incident, we observed communication with a command-and-control (C2) IP address 45.76.155[.]202. After days of C2 beacon traffic to this IP address, attackers shifted to a second C2 server at 45.77.31[.]210, with communication lasting until September.

In cases between September and November 2025, we observed activity consistent with outbound connections to a C2 server. These were followed by subsequent download requests for update.exe that are consistent with the reported Chrysalis backdoor. In some cases, download attempts were made to an IP address, whereas others were made to domains. Successful beacons to malicious servers occurred within seconds of successful download of the malicious payload and continued for an unspecified amount of time.

In September and October 2025, we observed a Lua script injection variant deploying malicious Lua scripts to inject shellcode. This attack used the EnumWindowStationsW API and resulted in the delivery of Cobalt Strike beacon malware. In this case, the download originated from:

• 45.76.155[.]202/update/update.exe

Separately, we also observed a Bluetooth DLL sideloading variant in the same case. This Lua variant uses Bluetooth service DLL sideloading techniques to deploy the Chrysalis backdoor. Download attempts for this variant were made from a different malicious server:

• 45.32.144[.]255/update/update.exe

Interim Guidance

Notepad++ recommends the following:

• Downloading version 8.9.1, which includes the relevant security enhancement
• Running the installer to update your Notepad++ manually

According to Notepad++, they have migrated their website to a new hosting provider with significantly stronger security practices.

Within Notepad++ itself, they enhanced the WinGup updater in v8.8.9 to verify both the certificate and the signature of the downloaded installer.

Additionally, they also note:

• The XML returned by the update server is now signed (XMLDSig)
• Certificate and signature verification will be enforced starting with the upcoming version 8.9.2, which they expect to release in about a month

Unit 42 Managed Threat Hunting Queries

The Unit 42 Managed Threat Hunting team continues to track any signs of misuse or anomalous activity, using Cortex XDR and the XQL queries below. Cortex XDR customers can also use these XQL queries to assist with their investigations or hunting.

As the majority of activity likely occurred prior to December 2, we recommend reviewing data retention limits to determine if these queries will be effective in your environment. If available in your environment, you may consider using "cold storage" queries (cold_dataset = xdr_data) to query data beyond hot retention limits. Please note that running queries against cold storage will consume compute units.

Conclusion

This campaign marks a notable evolution in the operational tradecraft of threat actors of this type, representing a pivot from broad infrastructure pre-positioning to highly targeted “soft” supply chain interdiction. Recent campaigns from groups like Volt Typhoon and Salt Typhoon have focused primarily on compromising critical infrastructure backbones and edge devices, relying on living-off-the-land techniques and minimal malware. This operation instead illuminates a distinct strategic priority of focusing on administrative keyholders.

Hijacking the traffic flow of a trusted utility rather than injecting code into the software build pipeline allowed the threat actors to weaponize their delivery mechanism without alerting the vendor. This adversary-in-the-middle (AitM) capability allowed for dynamic fingerprinting of incoming update requests, enabling for highly selective filtering of priority targets.

This campaign is not focused on disruption, but on long-term valuable intelligence. This is illustrated by the combination of the threat actor’s selective victimology — focused on system administrators and developers in many geopolitically strategic regions — and their choice to use a lightweight backdoor with a low-profile.

Palo Alto Networks has shared our findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Palo Alto Networks customers are better protected by our products, as listed below. We will update this threat brief as more relevant information becomes available.

Palo Alto Networks Product Protections

Palo Alto Networks customers can leverage a variety of product protections and updates to identify and defend against this threat.

If you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

• North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
• UK: +44.20.3743.3660
• Europe and Middle East: +31.20.299.3130
• Asia: +65.6983.8730
• Japan: +81.50.1790.0200
• Australia: +61.2.4062.7950
• India: 000 800 050 45107
• South Korea: +82.080.467.8774

Advanced WildFire

Advanced WildFire machine-learning models and analysis techniques have been reviewed and updated in light of the indicators shared in this research.

Next-Generation Firewalls With Advanced Threat Prevention

Next-Generation Firewall with the Advanced Threat Prevention is designed to defend networks against both commodity threats and targeted threats.

Cloud-Delivered Security Services for the Next-Generation Firewall

Advanced URL Filtering and Advanced DNS Security identify known URLs and domains associated with this activity as malicious.

Cortex XDR and XSIAM

Cortex XDR and XSIAM help to prevent the threats described in this article by employing the Malware Prevention Engine. This approach combines several layers of protection, including Advanced WildFire, Behavioral Threat Protection and the Local Analysis module, to prevent both known and unknown malware from causing harm to endpoints.

Cortex Cloud

Organizations using Cortex Cloud, such as those within the cloud hosting industry which were actively targeted during this campaign, are better protected from the downloading and execution of the malware mentioned within this article through the proper placement of Cortex Cloud XDR endpoint agent and serverless agents within a cloud environment.

Designed to protect a cloud’s posture and runtime operations against these threats, Cortex Cloud helps detect and prevent the malicious operations or configuration alterations or exploitations discussed within this article.

Indicators of Compromise

• 1f6d28370f4c2b13f3967b38f67f77eee7f5fba9e7743b6c66a8feb18ae8f33e
• a3cf1c86731703043b3614e085b9c8c224d4125370f420ad031ad63c14d6c3ec
• a511be5164dc1122fb5a7daa3eef9467e43d8458425b15a640235796006590c9
• skycloudcenter[.]com
• self-dns[.]it[.]com
• safe-dns[.]it[.]com
• cdncheck[.]it[.]com
• 95[.]179[.]213[.]0
• 45[.]76[.]155[.]202
• 45[.]77[.]31[.]210
• 61[.]4[.]102[.]97
• 59[.]110[.]7[.]32
• 95[.]179[.]213[.]0/update/AutoUpdater.exe
• 95[.]179[.]213[.]0/update/Upgrade.exe
• 45[.]32[.]144[.]255/update/update.exe
• 45[.]76[.]155[.]202/update/update.exe
• 59[.]110[.]7[.]32/dpixel
• self-dns[.]it[.]com/help/Get-Start
• self-dns[.]it[.]com/resolve
• self-dns[.]it[.]com/dns-query
• safe-dns[.]it[.]com/help/Get-Start
• safe-dns[.]it[.]com/resolve
• safe-dns[.]it[.]com/dns-query

Related Articles

• Exploitation of Critical Vulnerability in React Server Components (Updated December 12)
• "Shai-Hulud" Worm Compromises npm Ecosystem in Supply Chain Attack (Updated November 26)
• Digital Doppelgangers: Anatomy of Evolving Impersonation Campaigns Distributing Gh0st RAT