The Notepad++ Update Hijack: How a Trusted Tool Became an APT’s Backdoor

Listen to this Post

🐢▶️ Listen🚀

Introduction:

A sophisticated supply chain attack has transformed the trusted Notepad++ text editor into a covert espionage tool. Between June and December 2025, the Chinese APT group Lotus Blossom (Billbug) hijacked the software’s update mechanism to deliver the “Chrysalis” backdoor to targeted organizations. This incident serves as a stark case study in how threat actors exploit ubiquitous software to bypass traditional security perimeters.

Learning Objectives:

• Understand the technical mechanics of the Notepad++ supply chain compromise and the Chrysalis backdoor.
• Learn actionable steps to hunt for Indicators of Compromise (IoCs) across endpoints and network logs.
• Implement mitigation strategies to prevent and respond to similar software update-based attacks.

You Should Know:

1. Understanding the Attack Vector and Initial Infection

The attack did not compromise the Notepad++ application itself but its update delivery channel. When users triggered an update, their systems contacted a malicious server at 95.179.213.0, which delivered a trojanized update.exe. This file was a malicious NSIS installer that posed as a legitimate update, exploiting the trust users place in automated software maintenance processes.

Step-by-Step Guide:

1. Initial Contact: The compromised `gup.exe` (Notepad++’s Generic Updater Program) connected to the attacker-controlled IP instead of the official update server.
2. Payload Delivery: It downloaded and executed `update.exe` (SHA-256: a511be5164dc1122fb5a7daa3eef9467e43d8458425b15a640235796006590c9).
3. Persistence Setup: The installer created a hidden directory `%AppData%\Bluetooth` and dropped the next-stage payloads, including a legitimate `BluetoothService.exe` (Bitdefender tool) and a malicious log.dll.

2. The Deceptive Payload: DLL Side-Loading in Action

To evade detection, the attackers employed a sophisticated DLL side-loading technique. They bundled a digitally signed, legitimate executable (BluetoothService.exe) with a malicious DLL (log.dll). When the trusted binary runs, it is tricked into loading the malicious DLL, allowing the malware to execute under the guise of a legitimate process.

Step-by-Step Guide:

1. Legitimate Process Launch: The installer or a persistence mechanism runs BluetoothService.exe.
2. Malicious DLL Load: Due to how Windows searches for DLLs, the process loads the malicious `log.dll` from the same directory instead of the genuine system library.
3. Code Execution: `log.dll` decrypts and executes the final Chrysalis backdoor payload in memory, achieving execution while appearing as a trusted Bitdefender process.

3. Inside the Chrysalis Backdoor: Capabilities and Evasion

Chrysalis is a full-featured backdoor designed for stealth and persistence. It uses advanced obfuscation, including a custom Linear Congruential Generator for decryption and API hashing (FNV-1a/MurmurHash) to resolve Windows APIs, hiding its activity from static analysis. It communicates with its C2 server (api.skycloudcenter.com) over HTTPS, disguising traffic as calls to a Deepseek AI API endpoint.

Step-by-Step Guide (Analyst’s Perspective – Hunting for Chrysalis):

1. Process Analysis: Look for `BluetoothService.exe` running from unusual paths like %AppData%. Use command-line tools to inspect:
   Windows (PowerShell): `Get-Process | Where-Object {$_.Path -like “AppData”} | Select-Object Name, Path, Id`
   Linux/Memory Analysis (Using Volatility): `volatility -f memory.dump windows.pslist | grep -i bluetooth`
   2. Network Traffic Inspection: Hunt for HTTPS connections to `api.skycloudcenter.com` or its IP 61.4.102.97. In Wireshark or Zeek logs, filter for this domain and inspect the URL paths for patterns like /a/chat/s/{GUID}.
2. API Monitoring: Use tools like Sysmon (Event ID 7 – Image loaded) to monitor for `log.dll` being loaded by BluetoothService.exe. A custom rule can flag this specific pair.

4. The Advanced Warbird Loader: Kernel-Level Evasion

In some cases, a second-stage loader named `ConsoleApplication2.exe` was deployed. This variant abuses Microsoft’s proprietary Warbird code protection framework. It copies encrypted shellcode into the memory of a signed Microsoft binary (clipc.dll) and triggers an undocumented kernel system call (NtQuerySystemInformation with class 0xB9) to decrypt and execute it in kernel context, bypassing user-mode security hooks.

Step-by-Step Guide (Detection Challenges):

1. Kernel Call Monitoring: Detecting this requires monitoring for the rare `SystemCodeFlowTransition` (0xB9) system call. This is only possible with advanced EDR sensors or kernel debugging.
2. Driver Verification: Regularly validate the integrity of running kernel drivers and signed binaries. Use PowerShell: Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, IsSigned.
3. Behavioral Alerts: Configure security tools to alert on processes spawning from uncommon parents, especially if they are Microsoft-signed binaries executing unusual network or file operations.

4. Forensic Investigation: Hunting for Key Indicators of Compromise (IoCs)
   Systematic hunting using the provided IoCs is critical for identifying compromised hosts. Focus on file hashes, network connections, and specific MITRE ATT&CK techniques employed.

Step-by-Step Hunting Guide:

1. File System Hunt:

Windows (CMD): `dir /s /b %AppData%\Bluetooth 2>nul`

Linux (Find compromised files via hash): Create a text file `ioc_hashes.txt` with the SHA-256 hashes and run: `find /path/to/search -type f -exec sha256sum {} \; | grep -f ioc_hashes.txt`
2. Network Log Review: Query firewall or SIEM logs for outbound connections to the malicious IPs (95.179.213.0, 59.110.7.32, 124.222.137.114) between June and December 2, 2025.
Example Splunk SPL: `index=firewall dest_ip IN (“95.179.213.0”, “59.110.7.32”) | stats count by src_ip, dest_ip`
3. Persistence Check: Examine Registry Run keys and scheduled tasks for entries pointing to `BluetoothService.exe` or suspicious paths.

Windows (Registry): `reg query “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” /s`

Windows (Tasks): `schtasks /query /fo LIST /v`

6. Immediate Mitigation and Patching Strategy

The first and most critical step is to break the attack chain by preventing the initial compromise and removing attacker access.

Step-by-Step Mitigation Guide:

1. Patch and Harden: Immediately update all instances of Notepad++ to version 8.9.1 or later. Versions 8.8.9+ include critical hardening of the updater’s verification process. Disable automatic updates in managed environments and transition to a manual, verified patch deployment model for critical tools.
2. Containment: If compromise is suspected, network-isolate the host. Reset credentials that may have been active on the system.
3. Eradication: Use your EDR or a trusted antivirus to quarantine the identified malicious files (update.exe, log.dll). Manually remove the `%AppData%\Bluetooth` directory and any related persistence artifacts (Registry keys, scheduled tasks).
4. Blocking Network IoCs: Enforce network blocks at the firewall for all malicious domains and IPs provided in the IoC list, particularly `api.skycloudcenter.com` and api.wiresguard.com.

7. Building Long-Term Resilience Against Supply Chain Attacks

This attack underscores the need to shift security strategy to assume trust in software pipelines can be breached.

Step-by-Step Resilience Guide:

1. Inventory and Risk-Assess All Software: Use an asset management tool to catalog every application, especially those with update mechanisms. Prioritize security scrutiny for ubiquitous, trusted tools like text editors, PDF readers, and system utilities.
2. Implement Application Allowlisting: Deploy policies that only allow pre-approved, signed executables to run. This would have blocked the malicious update.exe.
3. Harden Update Mechanisms: For critical software, configure internal update servers or use enterprise management tools (like SCCM or Intune) to push verified updates, preventing direct connections to vendor servers.
4. Enhance Monitoring: Create specific SIEM rules and EDR policies to detect DLL side-loading (sysmon Event ID 7 is key), unusual child processes from updaters (gup.exe), and connections to newly registered or algorithmically generated domains.

What Undercode Say:

• The “Trusted Tool” Attack Surface is Vast and Exploitable. This incident proves that attackers are strategically targeting foundational, “non-security” software precisely because it is ubiquitous and trusted. Defenders must expand their threat models far beyond just servers and browsers to include every piece of software with network access.
• Evasion Techniques are Borrowing from the Software Industry. The use of Microsoft’s own Warbird framework and the mimicry of Deepseek AI API traffic represent a dangerous trend. Attackers are leveraging legitimate software development tools and common internet traffic patterns to create attacks that are virtually invisible to conventional security tools, demanding more advanced behavioral and kernel-level analysis from defenders.

Prediction:

The Notepad++ compromise marks a significant escalation in software supply chain attacks, signaling a future where no developer tool or common utility is inherently safe. We will see APT groups increasingly target niche but critical software (e.g., network drivers, IT admin tools, developer plugins) to establish footholds in hard-to-reach sectors. In response, the cybersecurity industry will accelerate the adoption of binary attestation and software bill of materials (SBOM) verification for updates. Furthermore, defensive AI will become crucial to detect the subtle anomalies in process behavior and network traffic that characterize these advanced, low-signature intrusions, moving beyond simple signature-based detection.

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Benjamin Iheukumere – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky