Threat Research Center High Profile Threats Malware MALWARE Nation-State Actors Exploit Notepad++ Supply Chain 8 min read RELATED PRODUCTS Advanced DNS Security Advanced Threat Prevention Advanced URL Filtering Advanced WildFire Cloud-Delivered Security Services Cortex Cortex Cloud Cortex XDR Cortex XSIAM Managed Threat Hunting Next-Generation Firewall Unit 42 Incident Response By: Unit 42 Published: February 11, 2026 Categories: High Profile Threats Malware Tags: Backdoor Cobalt Strike DLL Sideloading Supply chain Share Executive Summary Between June and December 2025, the official hosting infrastructure for the text editor Notepad++ was compromised by a state-sponsored threat group known as Lotus Blossom. The attackers breached the shared hosting provider’s environment. This allowed the attackers to intercept and redirect traffic destined for the Notepad++ update server. This infrastructure-level hijack enabled the attackers to selectively target specific users. The targets were primarily located in Southeast Asia across government, telecommunications and critical infrastructure sectors. Attackers served these targets malicious update manifests instead of legitimate software updates. We’ve identified additional unreported infrastructure, which is linked to this campaign. We’ve observed two chains of infection including a Lua script injection variant that resulted in the delivery of Cobalt Strike beacon malware as well as DLL side-loading to deliver a Chrysalis backdoor. Unit 42 also found that this threat activity is targeting more sectors and more regions than previously reported. This campaign also affected the following sectors in South America, the U.S., Europe and Southeast Asia: Cloud hosting Energy Financial Government Manufacturing Software development Notepad++ is a lightweight, open-source code editor and text replacement utility. This tool is widely favored for its speed, extensive plugin ecosystem and unique ability to handle massive data files while persisting sessions that users have not yet saved. In enterprise environments, Notepad++ often serves as a foundational instrument for system administrators, network engineers and DevOps personnel. These personnel commonly use this tool to modify server configurations, parse heavy system logs and audit code on secure jump boxes where heavier applications are impractical. This specific user demographic makes Notepad++ a strategically critical target for threat actors. Compromising this single tool allows attackers to effectively bypass perimeter defenses and piggyback into the sessions of the most privileged users in the organization, gaining implicit administrative access to the network's core infrastructure. Palo Alto Networks customers receive protections from and mitigations for the activity discussed in this article in the following ways: Advanced URL Filtering and Advanced DNS Security identify known URLs and domains associated with this activity as malicious Advanced WildFire machine-learning models and analysis techniques have been reviewed and updated in light of the indicators shared in this research Cortex Cloud helps detect and prevent the malicious operations or configuration alterations or exploitations discussed within this article Cortex XDR and XSIAM by employing the Malware Prevention Engine Next-Generation Firewall with the Advanced Threat Prevention is designed to defend networks against both commodity threats and targeted threats The Unit 42 Incident Response team can also be engaged to help with a compromise or to provide a proactive assessment to lower your risk. Related Unit 42 Topics DLL Sideloading, Backdoors, Supply Chain, Cobalt Strike Details of the Attack on Notepad++ This supply chain attack relied on exploiting insufficient verification controls in older versions of the Notepad++ updater, WinGUp. This exploitation allowed the threat group to redirect traffic to attacker-controlled servers. When targeted victims attempted to update their software, they downloaded a malicious NSIS installer. This installer — often named update.exe — initiated a complex infection chain. This chain used DLL sideloading techniques and misused a legitimate Bitdefender component (BluetoothService.exe) to load a malicious library (log.dll) that decrypted and executed a custom backdoor. In another infection chain, attackers utilized an NSIS installer to execute a command to run a malicious Lua script to load Cobalt Strike Beacon. This malware, called Chrysalis, employed advanced evasion techniques. These included: Using Microsoft Warbird code protection framework Custom API hashing to reduce antivirus detection Establishing persistent remote control over infected systems Additional Exploitation Activity in This Campaign Unit 42 observed evidence of two separate attack sequences: One in which a malicious NSIS installer drops a compiled Lua script containing an installer to download and execute a Cobalt Strike Beacon payload One in which attackers used DLL side-loading to inject the Chrysalis backdoor into memory We observed additional activity dating between mid-August and November 2025 that was consistent with this exploitation activity. In an August incident, we observed communication with a command-and-control (C2) IP address 45.76.155[.]202. After days of C2 beacon traffic to this IP address, attackers shifted to a second C2 server at 45.77.31[.]210, with communication lasting until September. In cases between September and November 2025, we observed activity consistent with outbound connections to a C2 server. These were followed by subsequent download requests for update.exe that are consistent with the reported Chrysalis backdoor. In some cases, download attempts were made to an IP address, whereas others were made to domains. Successful beacons to malicious servers occurred within seconds of successful download of the malicious payload and continued for an unspecified amount of time. In September and October 2025, we observed a Lua script injection variant deploying malicious Lua scripts to inject shellcode. This attack used the EnumWindowStationsW API and resulted in the delivery of Cobalt Strike beacon malware. In this case, the download originated from: 45.76.155[.]202/update/update.exe Separately, we also observed a Bluetooth DLL sideloading variant in the same case. This Lua variant uses Bluetooth service DLL sideloading techniques to deploy the Chrysalis backdoor. Download attempts for this variant were made from a different malicious server: 45.32.144[.]255/update/update.exe Interim Guidance Notepad++ recommends the following: Downloading version 8.9.1, which includes the relevant security enhancement Running the installer to update your Notepad++ manually According to Notepad++, they have migrated their website to a new hosting provider with significantly stronger security practices. Within Notepad++ itself, they enhanced the WinGup updater in v8.8.9 to verify both the certificate and the signature of the downloaded installer. Additionally, they also note: The XML returned by the update server is now signed (XMLDSig) Certificate and signature verification will be enforced starting with the upcoming version 8.9.2, which they expect to release in about a month Unit 42 Managed Threat Hunting Queries The Unit 42 Managed Threat Hunting team continues to track any signs of misuse or anomalous activity, using Cortex XDR and the XQL queries below. Cortex XDR customers can also use these XQL queries to assist with their investigations or hunting. As the majority of activity likely occurred prior to December 2, we recommend reviewing data retention limits to determine if these queries will be effective in your environment. If available in your environment, you may consider using "cold storage" queries (cold_dataset = xdr_data) to query data beyond hot retention limits. Please note that running queries against cold storage will consume compute units. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 // Name: DLL sideloading via BYO application // Description: Identifies renamed Bitdefender utility loading a log.dll file // MITRE TTP ID: T1574.001 config case_sensitive = false | dataset = xdr_data | fields actor_process_signature_vendor, actor_process_signature_product, action_module_path, actor_process_image_path, actor_process_image_sha256, agent_os_type, event_type, event_id, agent_hostname, _time, actor_process_image_name | filter event_type = ENUM.LOAD_IMAGE and agent_os_type = ENUM.AGENT_OS_WINDOWS | filter actor_process_signature_vendor contains "Bitdefender SRL" and action_module_path contains "log.dll" | filter actor_process_image_path not contains "Program Files\Bitdefender" | filter not actor_process_image_name in ("eps.rmm64.exe", "downloader.exe", "installer.exe", "epconsole.exe", "EPHost.exe", "epintegrationservice.exe", "EPPowerConsole.exe", "epprotectedservice.exe", "DiscoverySrv.exe", "epsecurityservice.exe", "EPSecurityService.exe", "epupdateservice.exe", "testinitsigs.exe", "EPHost.Integrity.exe", "WatchDog.exe", "ProductAgentService.exe", "EPLowPrivilegeWorker.exe", "Product.Configuration.Tool.exe", "eps.rmm.exe") 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 // Name: Chrysalis Mutex // Description: Identifies a Mutex known to be related to the chrysalis backdoor malware // MITRE TTP ID: T1480.002 config case_sensitive = false | dataset = xdr_data | fields _time, agent_hostname, actor_effective_username, actor_process_image_name, actor_process_image_path, actor_process_command_line, event_type, event_sub_type, action_syscall_string_params | filter event_type = ENUM.SYSTEM_CALL and event_sub_type = ENUM.SYSTEM_CALL_NT_CREATE_MUTANT | alter mutex = json_extract_scalar(action_syscall_string_params, "$.1") | filter mutex = "Global\\Jdhfv_1.0.1" 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 // Name: GUP.exe Writing Unusual Files to Temp Folder // Description: Detects cases where the Notepad++ updater (gup.exe) writes files to a te