Notepad++ Supply Chain Attack Linked to Chinese APT Lotus Blossom

A Notepad++ supply chain attack tied to Chinese APT Lotus Blossom delivered the new Chrysalis backdoor, targeting government and critical sectors worldwide

A newly uncovered Notepad++ supply chain attack has been attributed to the Chinese advanced persistent threat (APT) group known as Lotus Blossom, also called Billbug. Security researchers say the campaign leveraged compromised infrastructure linked to the popular text editor to distribute a previously undocumented backdoor named Chrysalis, marking a significant escalation in the group’s capabilities.

The campaign was discovered by Rapid7 researcher Ivan Feigl and is believed to have primarily targeted organizations operating in government, telecommunications, aviation, and critical infrastructure sectors across Southeast Asia and Central America.

Compromised Update Chain Raised Red Flags

The investigation began after analysts examined a security incident involving the execution of a malicious file named update.exe. The file was downloaded from a suspicious IP address shortly after the legitimate execution of notepad++.exe and GUP.exe, the official updater used by Notepad++.

Forensic analysis revealed that update.exe was an NSIS installer—a format frequently abused by Chinese APT groups to deliver initial payloads. This finding quickly pointed researchers toward a Notepad++ supply chain attack, rather than a standalone malware infection.

DLL Sideloading Used to Deploy Chrysalis

Once executed, the installer created a hidden directory within the victim’s AppData folder and dropped several files, including BluetoothService.exe and a malicious log.dll. The executable was found to be a renamed, legitimate Bitdefender binary, which attackers abused for DLL sideloading—forcing it to load the malicious DLL instead of the authentic one.

The log.dll file then decrypted and launched the Chrysalis backdoor, a sophisticated implant designed for long-term persistence. Unlike smash-and-grab malware, Chrysalis supports extensive command execution, file operations, process launching, and even a self-removal function to erase forensic traces.

Advanced Evasion and Stealth Techniques

Researchers noted that Chrysalis employs custom encryption, API hashing, and encrypted HTTPS communications with its command-and-control server. Notably, the malware’s network traffic mimics legitimate AI-related API endpoints, an apparent attempt to blend into normal enterprise traffic—further reinforcing the stealthy nature of the Notepad++ supply chain attack.

In addition to Chrysalis, investigators uncovered a separate loader variant that abuses Microsoft’s Warbird protection framework. By executing shellcode within the context of a Microsoft-signed binary, the loader can bypass user-mode hooks and many endpoint detection and response (EDR) systems.

Attribution and Broader Implications

Rapid7 attributed the campaign to Lotus Blossom with moderate confidence, citing shared cryptographic keys and recurring use of Bitdefender sideloading techniques seen in previous Billbug operations. The Notepad++ supply chain attack highlights how trusted software ecosystems can be weaponized to infiltrate high-value targets.

Security experts warn that such attacks underscore the growing risk associated with software supply chains. Organizations are advised to monitor update mechanisms closely, validate binaries, and strengthen detection capabilities against sophisticated threats like the Notepad++ supply chain attack, which blends legitimate tools with advanced evasion tactics.

As supply chain compromises continue to rise globally, this incident serves as another reminder that even widely trusted applications can become vectors for nation-state cyber espionage.