Listen to this Post
Introduction:
The recent compromise of Notepad++’s update infrastructure serves as a stark warning about the fragility of the software supply chain. A sophisticated actor, believed to be the Chinese APT group Lotus Blossom, hijacked the update channel to deliver a custom backdoor dubbed “Chrysalis” to targeted victims in telecom and finance. This incident demonstrates that even ubiquitous, trusted utilities are high-value targets for espionage-focused threat actors seeking deep, persistent access.
Learning Objectives:
- Understand the technical mechanics of the Notepad++ supply chain attack and the Chrysalis backdoor’s infection chain.
- Learn to identify and hunt for indicators of compromise (IoCs) related to this campaign within your own environment.
- Implement practical defenses and policy changes to mitigate risks from similar software supply chain attacks.
1. The Initial Access: Hijacking a Trusted Update
Step‑by‑step guide explaining what this does and how to use it.
The attack did not exploit a vulnerability in the Notepad++ code itself. Instead, the threat actor compromised the infrastructure of the editor’s former hosting provider. This allowed them to manipulate the update mechanism (WinGUP). For a period in 2025, update requests from some users were transparently redirected to attacker-controlled servers (95.179.213.0) which served a trojanized installer.
What to do: Immediately verify the integrity of Notepad++ installations and control update flows.
For Incident Responders: Hunt for historical connections to the malicious IP `95.179.213.0` in proxy logs, DNS queries, or endpoint telemetry.
Command Example (Log Analysis): `grep -r “95\.179\.213\.0” /var/log/.log`
For System Administrators: Disable the built-in auto-updater (GUP.exe) via Group Policy or configuration file and shift to a managed, internal distribution model. Verify downloads using the official SHA-256 hashes from the Notepad++ website.
2. Dissecting the Malicious Installer: The NSIS Package
Step‑by‑step guide explaining what this does and how to use it.
The delivered `update.exe` file was a malicious NSIS (Nullsoft Scriptable Install System) installer, a packaging tool frequently abused by APT groups. Its script ([bash].nsi) executed a series of deceptive steps:
- Create Hidden Directory: It created a hidden folder
%AppData%\Bluetooth. - Drop Payloads: It copied the following files into that directory:
BluetoothService.exe: A renamed, legitimate Bitdefender Submission Wizard executable (used for DLL sideloading).
`log.dll`: A malicious DLL.
`BluetoothService`: An encrypted shellcode file.
What to do: Hunt for these artifacts and understand NSIS-based attacks.
Detection Command (Windows): `dir /a:h “%AppData%\Bluetooth\” 2>nul && echo Hidden Bluetooth folder found!`
Analysis Tip: Use tools like `7-Zip` or dedicated NSIS extractors to examine suspicious `.exe` files. Look for scripts that create hidden directories or drop executable files in user writable locations.
3. Gaining Execution: Sophisticated DLL Sideloading
Step‑by‑step guide explaining what this does and how to use it.
The attacker abused a legitimate, signed executable (BluetoothService.exe) to load a malicious DLL (log.dll)—a technique known as DLL sideloading. The legitimate program expected a `log.dll` with specific export functions (LogInit, LogWrite). The malicious DLL provided these exports, containing the code to load and decrypt the final payload.
`LogInit` and `LogWrite` Functions:
LogInit: Loaded the encrypted `BluetoothService` shellcode file into memory.
LogWrite: Executed a custom decryption routine to unpack the shellcode. It used a linear congruential generator (constants `0x19660D` and 0x3C6EF35F) rather than standard Windows crypto APIs, making detection harder.
What to do: Defend against and detect DLL sideloading.
Mitigation (Windows): Enable the Attack Surface Reduction (ASR) rule: “Block execution of potentially obfuscated scripts.” This can help block some sideloading techniques.
Hunting: Use Sysmon or EDR tools to look for processes running from unusual paths (like %AppData%) that load DLLs from the same directory, especially if the parent process is an updater.
4. Core Payload Analysis: The Chrysalis Backdoor
Step‑by‑step guide explaining what this does and how to use it.
The decrypted shellcode revealed the “Chrysalis” backdoor, a full-featured, persistent implant. Its main module was further encrypted within the shellcode using a multi-step XOR/ADD/SUB algorithm with the hardcoded key gQ2JR&9;.
Key Characteristics of Chrysalis:
Advanced Obfuscation: It used custom, position-dependent string obfuscation and multiple layers of API hashing (FNV-1a and MurmurHash variants) to hide its functionality from static analysis.
C2 Communication: It decrypted its configuration (using RC4 with key qwhvb^435h&7) to contact `https://api.skycloudcenter.com/a/chat/s/70521ddf-a2ef-4adf-9cf0-6d8e24aaa821`. This URL mimicked a DeepSeek AI API endpoint to blend in with normal traffic.
Persistence: It installed itself as a Windows Service or via Run Registry key.
What to do: Analyze malware with similar traits.
Static Analysis: In a sandbox, look for the hardcoded decryption keys and the unique mutex `Global\\Jdhfv_1.0.1` as a strong indicator of compromise (IoC).
Network Detection: Alert on HTTPS POST requests to domains with paths structured like `/a/chat/s/{GUID}` that are not part of your approved AI tooling.
5. Capabilities and Commands: A Powerful Espionage Tool
Step‑by‑step guide explaining what this does and how to use it.
Chrysalis’s true danger lies in its extensive command set, controlled via tags in the C2 response. It functioned as a Swiss Army knife for remote access and data theft.
Decoded Command Table:
| Tag (Hex) | Purpose |
| : | : |
| `0x3454` (4T) | Spawn an interactive reverse shell (cmd.exe). |
| `0x3457` (4W) | Write file to disk. |
| `0x345A` (4Z) | Break from command loop. |
| `0x345D` (4]) | Sleep/beacon for a specified time. |
| `0x3464` (4d) | Exfiltrate file to C2. |
| `0x345C` (4\) | Uninstall itself from the system. |
What to do: Hunt for post-exploitation activity.
Process Creation Monitoring: Look for `cmd.exe` spawned by unusual parent processes or from user-writable directories.
Data Exfiltration: Baseline normal outbound traffic volumes and investigate large, sustained HTTPS uploads to unknown external IPs, especially from non-browser processes.
6. Building Defenses: From Detection to Prevention
Step‑by‑step guide explaining what this does and how to use it.
This attack necessitates a shift in how organizations manage “low-risk” software.
- Inventory and Assess: Catalog all freely downloaded utilities (text editors, FTP clients, etc.) and treat them as part of your formal software supply chain.
- Control Updates: Where possible, disable in-application auto-updaters. Use enterprise software management tools (like SCCM, Intune, or an internal repository) to distribute and patch applications.
3. Harden Endpoints:
Windows: Apply policies to restrict execution from `%AppData%` and %LocalAppData%.
Linux/Mac: Use similar principles with restricted user directories.
Command Example (AppLocker/Windows): Create a rule to allow executables only from `C:\Program Files\` and `C:\Windows\` for standard users, blocking execution from %AppData%.
4. Enhanced Monitoring: Deploy EDR/XDR solutions and configure alerts for processes making network connections that are not typically associated with them (e.g., `GUP.exe` connecting to an unknown cloud IP).
What Undercode Say:
- The Software Supply Chain is Only as Strong as its Weakest Host. This attack bypassed secure code signing by targeting the delivery platform, not the code. Trust in a developer must extend to trust in their entire operational infrastructure.
- Obfuscation is the New Norm. Chrysalis employed multiple, custom obfuscation layers (API hashing, string encryption, mimicking API traffic) specifically to evade automated security tools and increase analysis overhead. Defenders must assume advanced malware will have these features.
Analysis:
This incident represents a maturation of APT tactics. By compromising a trusted, niche developer’s infrastructure, the threat actor gained a highly credible lure with a minimized blast radius, ensuring only specific targets were infected. The technical sophistication—from the infrastructure hijack to the multi-stage, heavily obfuscated payload—indicates significant resources and a focus on long-term, stealthy espionage. It forces a re-evaluation of risk models: an application’s perceived function is irrelevant; its access level and update mechanism define its attack surface.
Prediction:
The success of this attack will catalyze a wave of similar software supply chain operations. We predict a rise in targeted compromises of small to mid-sized ISVs (Independent Software Vendors), especially those serving specific verticals like engineering, law, or finance. Defense will pivot towards “zero-trust” for software updates, requiring independent verification of download sources and binary integrity before installation, moving beyond reliance on developer signatures alone.
▶️ Related Video (82% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Sebastianstavar Notepad – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
