{"id":15599,"date":"2026-02-03T10:35:57","date_gmt":"2026-02-03T10:35:57","guid":{"rendered":"https:\/\/newestek.com\/?p=15599"},"modified":"2026-02-03T10:35:57","modified_gmt":"2026-02-03T10:35:57","slug":"notepad-infrastructure-hijacked-by-chinese-apt-in-sophisticated-supply-chain-attack","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15599","title":{"rendered":"Notepad++ infrastructure hijacked by Chinese APT in sophisticated supply chain attack"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

The popular open-source text editor Notepad++ was targeted in a sophisticated supply chain attack that allowed Chinese state-sponsored hackers to deliver malware through compromised software updates, the project\u2019s maintainer disclosed in a blog post<\/a>.<\/p>\n

The attack, which ran from June through December 2025, involved infrastructure-level compromise of Notepad++\u2019s shared hosting provider that enabled threat actors to selectively intercept and redirect update traffic to servers under their control, Notepad++ author Don Ho said in the statement.<\/p>\n

\u201cMultiple independent security researchers have assessed that the threat actor is likely a Chinese state-sponsored group, which would explain the highly selective targeting observed during the campaign,\u201d Ho wrote.<\/p>\n

The incident highlights a critical blind spot in enterprise security. Attackers prize distribution points like update servers because one successful insertion delivers access to thousands of environments at once, according to a Forrester analysis<\/a> also published Sunday.<\/p>\n

The compromise is particularly concerning because Notepad++ is widely used by developers, analysts, and IT operators, yet \u201cdoes not require an enterprise contract or license, and does not include usage tracking by default and therefore may not be tracked in an enterprise software inventory,\u201d Forrester analysts Jeff Pollard, Allie Mellen, Jess Burn, Janet Worthington, and Tope Olufon wrote in their blog post.<\/p>\n

How the attack unfolded<\/h2>\n

The compromise occurred at the hosting provider level rather than through vulnerabilities in Notepad++ code, Ho said in the note. Attackers gained access to the shared hosting server and redirected traffic from the update endpoint to attacker-controlled servers.<\/p>\n

\u201cThe bad actors specifically searched for the Notepad++ domain to intercept the traffic to your website, as they might know the then-existing Notepad++ vulnerabilities related to insufficient update verification controls,\u201d the hosting provider said in a statement shared by Ho.<\/p>\n

The name of the hosting provider, however, is not disclosed in the blog post. A detailed query seeking comments from Ho remains unanswered.<\/p>\n

The server was initially compromised until September 2, 2025, when scheduled maintenance included kernel and firmware updates. However, attackers maintained stolen credentials to internal services until December 2, 2025, allowing continued traffic interception, according to the provider\u2019s statement. The targeting was highly selective \u2014 traffic from certain users was redirected while most legitimate updates proceeded normally, Ho said.<\/p>\n

Rapid7 identifies custom malware<\/h2>\n

Cybersecurity firm Rapid7 also published a detailed technical analysis<\/a> corroborating Ho\u2019s disclosure and identifying the attack as part of a broader campaign deploying previously undocumented malware. Rapid7\u2019s investigation uncovered a custom backdoor the firm dubbed \u201cChrysalis,\u201d alongside Cobalt Strike and Metasploit frameworks.<\/p>\n

\u201cForensic analysis conducted by the MDR team suggests that the initial access vector aligns with publicly disclosed abuse of the Notepad++ distribution infrastructure,\u201d Rapid7 researcher Ivan Feigl wrote. The Chrysalis backdoor supports 16 distinct command capabilities ranging from interactive shell access to complete self-removal. One loader variant exploited Microsoft Warbird, an internal code protection framework, to execute shellcode while masquerading as a legitimate Microsoft-signed binary.<\/p>\n

Rapid7 attributed the campaign to Lotus Blossom, also known as Billbug<\/a>, a Chinese APT group active since 2009, known for espionage operations targeting government, telecommunications, and critical infrastructure sectors across Southeast Asia and Central America. The attribution is based on strong similarities to previously published Symantec research, particularly the use of a renamed Bitdefender executable to side-load malicious DLLs.<\/p>\n

Why detection proved difficult<\/h2>\n

The sophisticated malware evaded detection for months largely because a compromised utility blends into normal developer behavior, making it challenging to identify. \u201cMost EDR programs are blind by design to \u2018expected\u2019 developer behavior,\u201d the Forrester analysts wrote. \u201cA compromised utility does not need exploits, LOLBins, or exotic malware. It just needs to look boring\u2014like something a dev would do.\u201d<\/p>\n

Ho noted that his incident response team was unable to extract concrete indicators of compromise despite analyzing roughly 400 GB of server logs. In an edit posted Sunday, Ho acknowledged Rapid7\u2019s more detailed findings. \u201cLast evening I received an email from Ivan Feigl (Rapid7) to share their excellent investigation story\u2014it seems to be the same story, and obviously, they have more tangible information (including IoCs) than I do,\u201d he wrote.<\/p>\n

Rapid7 identified network infrastructure, including IP addresses in Malaysia and China, along with command and control URLs, including api.skycloudcenter.com and api.wiresguard.com.<\/p>\n

Security enhancements and broader implications<\/h2>\n

In response, Notepad++ has migrated to a new hosting provider and enhanced WinGup (the updater component) in version 8.8.9 to verify both certificate and signature of downloaded installers, Ho said. Certificate and signature verification will be enforced starting with version 8.9.2, expected within approximately one month.<\/p>\n

\u201cI deeply apologize to all users affected by this hijacking,\u201d Ho wrote. \u201cI recommend downloading v8.9.1 and running the installer to update your Notepad++ manually.\u201d<\/p>\n

For enterprise security teams, the incident underscores the need for comprehensive software inventories that include widely used utilities, cryptographic verification of all updates, and what Forrester described as a \u201cshift from implicit trust to continuous verification.\u201d The Forrester analysts also warned that AI agents could amplify similar risks. \u201cThe same supply chain blind spots that let a compromised tool blend into developer noise will let a compromised agent establish persistence and elevate privileges at scale,\u201d they wrote. Organizations that cannot strictly define what should execute and communicate are \u201cstructurally conceding this class of attack.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

The popular open-source text editor Notepad++ was targeted in a sophisticated supply chain attack that allowed Chinese state-sponsored hackers to deliver malware through compromised software updates, the project\u2019s maintainer disclosed in a blog post. The attack, which ran from June through December 2025, involved infrastructure-level compromise of Notepad++\u2019s shared hosting provider that enabled threat actors to selectively intercept and redirect update traffic to servers under… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15599","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15599","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15599"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15599\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15599"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15599"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15599"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}