CyberLeveling Logo
The Notepad++ Update Compromise

The Notepad++ Update Compromise: What Happened, Why It Was Targeted, and What Defenders Should Learn

Feb 02, 2026

Executive Summary

In mid to late 2025, a security incident involving Notepad++ raised concerns across the security community. While headlines suggested a “compromised application,” the reality was more nuanced and more instructive.

The Notepad++ source code was not backdoored. Instead, attackers interfered with parts of the update distribution path, selectively delivering malicious updates to specific, high value targets. This incident closely follows the playbook of modern supply chain attacks conducted by advanced threat actors (APTs).

This post breaks down what happened, why the attack was selective, what the real risk was, and most importantly what defenders and threat hunters should do differently going forward.

What Actually Happened

  • Attackers gained access to infrastructure involved in the Notepad++ update mechanism
  • They did not alter the public source code repository
  • Legitimate update requests were conditionally redirected
  • Only certain systems received a malicious payload masquerading as a legitimate update

This was not a mass malware campaign. Most users who updated during the affected period received clean binaries and were never at risk.

Timeline of the Incident

Early to Mid 2025

  • Attackers gained access to infrastructure associated with Notepad++ update delivery
  • No public indicators of compromise were observed
  • Normal update behavior continued for most users

Mid 2025

  • Conditional redirection logic was introduced
  • Update requests from selected environments were served malicious payloads
  • Targeting focused on specific IP ranges and organizations

Late 2025

  • Security researchers and third parties identified anomalies in update traffic
  • Investigation confirmed selective supply chain manipulation
  • Infrastructure access by attackers was removed

Post Disclosure

  • Notepad++ released hardened update mechanisms
  • Signature verification and integrity checks were strengthened
  • Users were advised to reinstall from official sources

Why This Was a Targeted Attack (Not a Broad One)

1. Stealth Was the Primary Objective

Mass infections trigger:

  • Antivirus detections
  • Automated sandbox analysis
  • Rapid public disclosure

Selective delivery allows attackers to remain undetected for months.

2. Conditional Payload Delivery

The attackers could decide who received the malicious update based on:

  • IP address ranges
  • Geographic location
  • Organization ownership such as government, research, or enterprise
  • Network or system characteristics

If a system did not meet targeting criteria, it received the legitimate update.

3. High Trust, Low Suspicion Software

Notepad++ is:

  • Widely installed
  • Developer focused
  • Rarely monitored closely by EDR policies

This makes it an excellent initial access vector in environments where developer tooling is implicitly trusted.

4. This Matches Known APT Supply Chain Patterns

This incident strongly resembles prior selective supply chain compromises such as:

  • CCleaner (2017)
  • ASUS Live Update
  • Early stages of SolarWinds

In all cases, attackers:

  • Targeted specific organizations
  • Avoided mass deployment
  • Prioritized long term access over fast spread

Who Was Actually at Risk?

You were potentially at risk only if all of the following applied:

  • You used the built in auto update feature
  • You updated during the compromised window
  • Your system matched attacker targeting criteria

Home users and casual environments were very unlikely to be affected.

Vendor Response and Mitigation

The Notepad++ project responded by:

  • Strengthening update verification using signature and integrity checks
  • Migrating infrastructure
  • Advising users to reinstall from trusted sources

Installing a current version from the official site fully mitigates the issue.

Defensive Lessons Learned

1. “Trusted Software” Is a Dangerous Assumption

Supply chain attacks exploit trust, not vulnerabilities.

Defenders should:

  • Monitor developer tools just as closely as browsers or office apps
  • Treat update processes as high risk activity

2. Auto Update Traffic Deserves Visibility

Update mechanisms often:

  • Use outbound connections
  • Bypass proxies
  • Evade inspection

Ensure you can:

  • Log update related domains
  • Detect redirects or unusual endpoints
  • Correlate updates with new process execution

3. Selective Attacks Will Not Trigger Global Alerts

Threats like this will not show up as:

  • VirusTotal spikes
  • Widespread IOC feeds

Detection must be behavioral, not signature based.

What Defenders Should Do Now

My take is: don't use Notepad++ at all. But if you must, keep the following recommendations in mind. If the server was compromised and they could redirect the updates god knows what else they could have done, so just threat hunt, unistall and block it across al organization.

Immediate Actions

  • Reinstall Notepad++ from the official site using the current version
  • Verify digital signatures of installed binaries
  • Run a full EDR or antivirus scan

Hardening Recommendations

  • Restrict which applications are allowed to auto update
  • Require signature validation for updater processes
  • Log and alert on:
    • Unsigned child processes
    • Update tools spawning shells or network utilities
  • Block outbound network connections from Notepad++ itself. A text editor should not need to make network connections; this is an easy win.

Threat Hunting Guidance

Hunt 1: Suspicious Child Processes

Look for:

notepad++.exe or updater processes spawning:

  • cmd.exe
  • powershell.exe
  • mshta.exe
  • rundll32.exe

This is not normal behavior for a text editor.

Hunt 2: Network Anomalies During Updates

Identify:

  • Update traffic going to unexpected IP ranges
  • TLS connections not matching known Notepad++ endpoints
  • Geographic mismatches between update servers and vendor infrastructure

Hunt 3: Persistence Artifacts

Search for:

  • New scheduled tasks created around update timestamps
  • Registry run keys linked to Notepad++ directories
  • DLLs dropped alongside legitimate binaries

Hunt 4: Timeline Correlation

Correlate:

  • Update events
  • First execution of new binaries
  • Credential access or lateral movement shortly afterward

Supply chain compromises are usually stage one access, not the final payload.

Final Takeaway

This was not a failure of open source software.
It was a reminder that:

Trust is the real attack surface in modern environments.

Selective supply chain attacks will continue to happen quietly, patiently, and with precision.

Organizations that assume “everyone would be affected if it were real” will miss the next one.

Analysis of the Rapid7 Report

This report is important not because it found “another backdoor,” but because it shows how modern APT supply-chain attacks are evolving and what defenders should change in response.

1. This Confirms the Notepad++ Incident Was a Real APT Operation

Key takeaway

  • The abuse of Notepad++ infrastructure was not hypothetical or speculative
  • It was actively used by a long-running Chinese espionage group (Lotus Blossom / Billbug)

This elevates the incident from:

“possible supply-chain abuse”

to

“confirmed nation-state intrusion vector”

This matters for risk assessment, board communication, and future vendor trust decisions.

2. Selective Supply-Chain Attacks Are the New Default

The attackers:

  • Did not broadly weaponize updates
  • Delivered payloads only after Notepad++ execution
  • Used conditional logic to remain invisible

Strategic insight

Absence of widespread detections does not mean absence of compromise. Detection strategies that rely on “blast radius” are obsolete.

This reinforces that:

Supply-chain compromise ≠ mass malware campaign

3. Abuse of Legitimate Tools Is the Core Strategy

The campaign deliberately blends:

  • Legitimate signed software
  • Legitimate installers (NSIS)
  • Legitimate security tools (Bitdefender Submission Wizard)
  • Legitimate Windows internals

This is not sophistication for its own sake. It is anti-detection by design.

Defender implication

Trust relationships are the attack surface. “Signed” and “legitimate” are no longer security boundaries.

4. DLL Side-Loading Remains Extremely Effective

Despite being a well-known technique, DLL side-loading remains:

  • Reliable
  • Quiet
  • Difficult to detect in default EDR configurations

The attackers:

  • Renamed trusted executables
  • Dropped malicious DLLs with generic names
  • Relied on default DLL search order behavior

Lesson

If your environment does not explicitly monitor DLL load paths, you are blind to this class of attack.

5. Custom Loaders Are Becoming More Important Than Payloads

Chrysalis itself is powerful, but what stands out more is:

  • Multi-stage loaders
  • Layered decryption
  • Custom API resolution
  • Obfuscation at every stage

Why this matters:

Payloads (Cobalt Strike, Metasploit) are increasingly disposable. Loaders are where tradecraft innovation now lives.

Defenders who focus only on payload detection will always be late.

6. Microsoft Warbird Abuse Is a Serious Escalation

The use of Microsoft Warbird is one of the most important findings.

Why it matters:

Warbird is undocumented, requires Microsoft-signed memory, and executes code through obscure Native API behavior. This allows attackers to:

  • Avoid typical memory injection patterns
  • Bypass heuristic detection
  • Abuse OS internals defenders rarely monitor

Strategic shift

Attackers are no longer just evading security products. They are evading analyst expectations.

7. Living-Off-The-Land Is No Longer Enough to Describe This

This campaign blends:

  • Custom malware
  • Commodity frameworks
  • Public research exploitation
  • Undocumented OS features

This breaks the old dichotomy of:

“Custom APT malware” vs “commodity malware”

The reality is now:

Modular, adaptive tooling assembled per target

8. Execution Chains Matter More Than Single Alerts

The most defensible signal here was not:

  • The backdoor
  • The network traffic
  • The payload

It was the execution sequence:

  • Trusted editor runs
  • Updater runs
  • Unexpected installer executes
  • Side-loaded DLL decrypts shellcode
  • Memory execution follows

Key lesson

Attack detection must be chain-based, not event-based.

9. Persistence Was Conservative and Reliable

The malware:

  • Preferred services
  • Fell back to registry
  • Included clean self-removal

This shows:

  • Long-term access intent
  • Operational maturity
  • Desire to minimize forensic footprint

This is espionage tooling, not smash-and-grab malware.

10. Attribution Confidence Comes From Tradecraft Consistency

Attribution is credible because:

  • Loader patterns match previous Billbug activity
  • Tool reuse is consistent across years
  • Execution flow aligns with prior research

This reinforces an important analytic point:

Attribution often comes from how, not what.

Big Picture Defender Takeaways

What This Campaign Really Tells Us

Supply-chain attacks will increasingly be:

  • Selective
  • Quiet
  • Long-lived

Developer tools are high-value targets. Update mechanisms deserve the same scrutiny as browsers. Native API abuse will increase. Payload detection alone is insufficient.

Full research attribution with TTPs: https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/