Lotus Blossom’s Infrastructure Hijack: The Chrysalis Backdoor & Notepad++ Supply Chain Attack
Executive Insights
- Infrastructure-Level Hijack: The attack compromised the hosting provider, not the software code, highlighting a critical blind spot in supply chain security.
- Targeted Redirection: Attackers selectively redirected update traffic based on the victim’s IP address, focusing on high-value targets while sparing general users.
- Trust Abuse: The campaign exploited a legitimate Bitdefender binary via DLL sideloading to mask the execution of the Chrysalis backdoor.
- Warbird Obfuscation: The use of Microsoft’s undocumented Warbird framework demonstrates the advanced technical capabilities of the Lotus Blossom APT.
- Verification Gap: The incident underscores the absolute necessity of strict digital signature verification for all update manifests and downloaded binaries in software updaters.
The Evolution of Infrastructure-Level Supply Chain Attacks
In late 2025, the cybersecurity landscape witnessed a paradigmatic shift in supply chain compromises. Unlike the infamous SolarWinds incident which involved injecting malicious code into the build pipeline, the Lotus Blossom (also known as Billbug or Thrip) Advanced Persistent Threat (APT) group executed a sophisticated infrastructure-level supply chain attack against the popular developer tool, Notepad++.
This campaign, which ran stealthily from June to December 2025, did not exploit a vulnerability in the software’s source code. Instead, attackers compromised the hosting provider’s infrastructure, allowing them to intercept and selectively redirect traffic from the application’s WinGUp auto-updater. This maneuver bypassed traditional code signing trust models by leveraging a flaw in the updater’s verification logic, delivering a custom backdoor named Chrysalis to high-value targets in government and critical infrastructure sectors.
The Anatomy of the Breach: Hosting Provider Compromise
The attack vector was distinct for its focus on the delivery mechanism rather than the software payload itself. Security researchers revealed that Lotus Blossom actors gained administrative access to the shared hosting server used by notepad-plus-plus.org.
- Traffic Interception: The attackers did not modify the legitimate files on the server. Instead, they manipulated the server’s configuration to intercept HTTP requests destined for the update manifest.
- Selective Redirection: The campaign was highly targeted. The vast majority of users received legitimate updates. However, requests originating from specific IP ranges—primarily associated with government agencies, telecommunications, and aviation sectors in Southeast Asia—were seamlessly redirected to attacker-controlled servers.
- Persistence via Credentials: Even after the hosting provider performed a kernel update and maintenance on September 2, 2025, which severed the attackers’ direct server access, the group maintained control by leveraging stolen credentials for internal services, continuing the redirection until December 2, 2025.
Technical Deep Dive: The WinGUp Verification Flaw
The success of this attack hinged on a critical oversight in the WinGUp auto-updater (prior to version 8.8.9). While the Notepad++ binaries themselves were digitally signed, the updater failed to rigorously verify the digital signature of the update manifest and the integrity of the downloaded installer against a trusted root certificate.
This “insufficient update verification” vulnerability allowed the attackers to perform a Man-in-the-Middle (MitM) attack. The hijacked update stream served a malicious XML manifest pointing to a Trojanized NSIS (Nullsoft Scriptable Install System) installer.
The Kill Chain: From Installer to Chrysalis Backdoor
The delivered payload, update.exe, was a sophisticated multi-stage loader designed to evade EDR detection using DLL sideloading and advanced obfuscation techniques.
| Stage | Component | Function |
|---|---|---|
| 1. Dropper | NSIS Installer (update.exe) | Drops a legitimate, signed binary and a malicious DLL to a hidden AppData directory. |
| 2. Loader | BluetoothService.exe | This is actually a renamed, legitimate Bitdefender Submission Wizard. It is digitally signed by Bitdefender, lending it credibility with security software. |
| 3. Sideloading | log.dll | A malicious DLL placed alongside the loader. The legitimate binary imports LogInit and LogWrite from this DLL, triggering the malicious code execution. |
| 4. Payload | Chrysalis Backdoor | The DLL decrypts and injects the Chrysalis shellcode into memory. |
Advanced Obfuscation: The “Warbird” Connection
One of the most technically notable aspects of this campaign was the discovery of loaders utilizing Microsoft Warbird. Warbird is an internal, undocumented code protection and license enforcement framework used by Microsoft. Lotus Blossom adapted a proof-of-concept (PoC) to wrap their malicious shellcode within a Warbird-protected binary. This technique allows the malware to masquerade as a legitimate Microsoft system component, significantly complicating reverse engineering and static analysis.
Chrysalis Malware Analysis
The Chrysalis backdoor represents a significant evolution in Lotus Blossom’s toolkit. It is a feature-rich implant capable of long-term espionage.
- C2 Communication: It communicates over encrypted HTTPS channels to domains such as
api.skycloudcenter.com. - Capabilities: The backdoor supports over 16 distinct commands, including file exfiltration, process termination, interactive shell access, and self-removal.
- API Hashing: To avoid detection by import table scanning, Chrysalis uses custom hashing algorithms to dynamically resolve Windows APIs at runtime.
Strategic Context: The Billbug/Lotus Blossom Nexus
This attack aligns with the historical modus operandi of the Lotus Blossom group (Billbug). In 2022, Symantec reported that Billbug had compromised a digital certificate authority (CA) in Asia. While the Notepad++ attack primarily exploited the updater’s verification gap, the group’s history of targeting trust infrastructure—whether CAs or hosting providers—demonstrates a clear intent to subvert the fundamental trust mechanisms of the software supply chain.
Mitigation and Recovery
In response to the breach, the Notepad++ project released version 8.8.9, which introduced strict verification of the update manifest signature. The project also migrated its infrastructure to a new hosting provider with enhanced security controls. Organizations are advised to hunt for the specific Indicators of Compromise (IoCs) related to this campaign, particularly the presence of BluetoothService.exe in unexpected directories.
In-Depth Q&A
Q: What is the Lotus Blossom supply chain attack?
It was a targeted cyber-espionage campaign where the Lotus Blossom APT group compromised the hosting infrastructure of Notepad++ to redirect the software’s WinGUp auto-updater traffic. This allowed them to deliver the custom ‘Chrysalis’ backdoor to specific targets in government and critical infrastructure.
Q: How did the Chrysalis backdoor evade detection?
Chrysalis evaded detection by using DLL sideloading with a legitimate, digitally signed Bitdefender binary (renamed BluetoothService.exe). It also utilized Microsoft’s undocumented ‘Warbird’ code protection framework to obfuscate its shellcode and employed custom API hashing to hide its system calls.
Q: Was the Notepad++ source code compromised?
No, the Notepad++ source code itself was not modified. The attack was an infrastructure-level compromise where the hosting server was breached to intercept and redirect update requests. The malicious payload was served from attacker-controlled servers, not the legitimate repository.
Q: What is the WinGUp verification flaw?
The WinGUp auto-updater (prior to version 8.8.9) failed to properly verify the digital signature of the update manifest file and the integrity of the downloaded installer. This lack of strict validation allowed attackers to perform a Man-in-the-Middle attack and serve a malicious binary.
Q: What are the Indicators of Compromise (IoCs) for the Chrysalis backdoor?
Key IoCs include network traffic to `api.skycloudcenter.com`, the presence of `BluetoothService.exe` (specifically if it matches the hash of the Bitdefender Submission Wizard) in the `%AppData%` folder, and a companion malicious file named `log.dll`.
