What to Know About the Notepad++ Supply-Chain Attack

Source: Threat Intelligence Blog | Flashpoint

Author: Flashpoint

URL: https://flashpoint.io/blog/what-to-know-about-the-notepad-supply-chain-attack/

ONE SENTENCE SUMMARY:

CVE-2025-15556 let attackers hijack Notepad++ updates via missing signature checks, enabling Lotus Blossom backdoors, persistence, and data theft.

MAIN POINTS:

1. Vulnerability resides in Notepad++ WinGUP updater lacking installer signature integrity verification.
2. Hosting-provider compromise enabled supply-chain tampering beyond simple coding mistakes.
3. Attackers intercepted WinGUP update requests and redirected them to malicious infrastructure.
4. MitM techniques and DNS cache poisoning facilitated redirection to attacker-controlled servers.
5. Trojanized update.exe installers were delivered while appearing as legitimate software patches.
6. Lotus Blossom campaign operated July–October 2025 across three evolving attack chains.
7. Early chains deployed Cobalt Strike beacons using NSIS installers and rotating C2 URLs.
8. Final chain installed Chrysalis backdoor via BluetoothService.exe, log.DLL, and shellcode.
9. Mapped ATT&CK techniques include DLL hijacking, registry run keys, services, and process injection.
10. Recommended defenses include patching to v8.9.1+, hunting TTPs, monitoring domains, and hardening endpoints.

TAKEAWAYS:

1. Prioritize upgrading Notepad++ to v8.9.1+ to enforce signature verification.
2. Treat software supply-chain risk as infrastructure-dependent, not only code-dependent.
3. Hunt for persistence artifacts like suspicious DLL loads, run keys, and new services.
4. Strengthen network controls against redirect-based delivery using domain monitoring and blocking.
5. Use MITRE ATT&CK mappings to guide detection engineering and proactive threat hunting.