Notepad++ Targeted by State-Sponsored Supply Chain Attack
Significant cybersecurity threats emerged when the official infrastructure for Notepad++ was compromised by a state-sponsored group known as Lotus Blossom from June to December 2025. The breach allowed malicious actors to redirect traffic to a fake update server, impacting users primarily in Southeast Asia’s governmental, telecommunications, and critical infrastructure sectors.
The attack exploited vulnerabilities in the WinGUp updater, enabling attackers to deploy malicious updates disguised as legitimate software. Victims who attempted to update their Notepad++ installations unwittingly installed malware, including the Cobalt Strike beacon and the Chrysalis backdoor. The attack utilized DLL sideloading tactics and misused a legitimate Bitdefender component to execute its payload. Additionally, the campaign expanded its reach to cloud hosting, energy, finance, and manufacturing sectors across various global regions, including South America, the U.S., and Europe.
Why this matters: This type of targeted supply chain attack illustrates the evolving strategies of threat actors, prioritizing long-term intelligence over immediate disruption. By exploiting common tools used by privileged users, attackers gain unauthorized access to critical infrastructure, posing significant risks to national security and corporate integrity.
Organizations can mitigate these risks through proactive monitoring, real-time threat intelligence, vulnerability scanning, and advanced firewall protections. These measures can help detect anomalies and block malicious traffic, particularly those associated with compromised updating processes.
Indicators of Compromise (IOCs):
- C2 IPs:
- 45.76.155[.]202
- 45.77.31[.]210
- 45.32.144[.]255
- Malicious URLs:
- 95[.]179[.]213[.]0/update/AutoUpdater.exe
- 45[.]76[.]155[.]202/update/update.exe
- self-dns[.]it[.]com/dns-query
- safe-dns[.]it[.]com/resolve
- Malware Hashes:
- 1f6d28370f4c2b13f3967b38f67f77eee7f5fba9e7743b6c66a8feb18ae8f33e
- a511be5164dc1122fb5a7daa3eef9467e43d8458425b15a640235796006590c9
These tools and practices not only bolster defenses but also enhance situational awareness crucial for timely responses to emerging threats.
