Notepad++ Supply Chain Attack: What Houston Businesses Need to Know About the 2025 Chrysalis Malware Campaign

Between June and December 2025, a China-linked threat actor successfully infiltrated the infrastructure hosting Notepad++, enabling them to intercept and redirect legitimate software update requests to malicious servers under their control. Unlike traditional malware attacks that exploit vulnerabilities in the software code itself, this campaign targeted the trust relationship between users and their software update mechanisms.

When users ran the built-in WinGUP updater—a routine action that millions perform without a second thought—their requests were occasionally routed to attacker-controlled servers. These servers delivered malicious installers masquerading as legitimate Notepad++ updates, which then deployed a previously unknown backdoor called Chrysalis.

Security researchers at Rapid7 attributed the campaign to Lotus Blossom (also known as Billbug), a Chinese APT group active since 2009. This group conducts espionage operations targeting government agencies, telecommunications providers, and critical infrastructure across Southeast Asia and Central America. Independent researcher Kevin Beaumont connected the attack to Violet Typhoon (APT31/Zirconium).

The Chrysalis malware implements 16 distinct command functions including interactive reverse shell access, remote process execution, comprehensive file operations, file transfer protocols for data exfiltration, drive enumeration, and self-removal functionality. It uses Microsoft Warbird code protection framework for obfuscation, DLL sideloading, custom API hashing, and mimics legitimate Deepseek API traffic patterns.

Network indicators include traffic to 95.179.213.0, connections to api.skycloudcenter[.]com and api.wiresguard[.]com, and communications with Malaysian IP 61.4.102.97. Host-based indicators include hidden directories under AppData containing executables, BluetoothService.exe in unexpected locations, a specific mutex identifier, and unexpected registry modifications.

Update Notepad++ to version 8.8.9 or later immediately. Audit systems for compromise if Notepad++ was used between June and December 2025. Implement software composition analysis tools, network segmentation, zero trust architecture, and modern EDR solutions. Monitor for behavioral anomalies and subscribe to security advisories for critical applications.

At LayerLogix, we help Houston businesses implement comprehensive security strategies including 24/7 Security Monitoring, Endpoint Detection and Response (EDR), Software Asset Management, Security Awareness Training, and Incident Response Planning. Contact us today to strengthen your cybersecurity posture against nation-state threats.