The Notepad++ supply chain attack, attributed to the Lotus Blossom APT group, compromised the popular text editor’s update infrastructure between June and November 2025. I’ve released a PowerShell-based triage script to help administrators quickly check systems for indicators of compromise (IoCs) related to this incident.
GitHub Repository: NotepadPlusPlus-Attack-Triage
What Happened
In early February 2026, the Notepad++ developers confirmed that their update infrastructure had been compromised at the hosting provider level. Attackers leveraged this access to distribute malicious payloads to targeted users through the legitimate update mechanism. Security researchers at Kaspersky and Rapid7 identified multiple distinct infection chains delivering Cobalt Strike beacons and the custom Chrysalis backdoor.
Victims included individuals and organizations across Vietnam, the Philippines, El Salvador, and Australia, targeting government entities, financial organizations, and IT service providers.
The Triage Script
The script performs read-only, passive checks against local system artifacts. It does not modify files, generate network traffic, or contact any C2 infrastructure. All checks are performed against local state including files, DNS cache, active connections, registry entries, and running services.
What It Checks
- Suspicious file paths associated with the three known infection chains
- File hashes (SHA-256/SHA-1) compared against known malicious samples
- DNS cache for lookups to malicious C2 domains
- Active network connections to known malicious IPs
- Mutex presence (Chrysalis backdoor indicator)
- Registry persistence entries in Run keys
- Malicious services (BluetoothService)
- Prefetch artifacts indicating execution of malicious binaries
- Notepad++ version to identify vulnerable installations (pre-v8.8.9)
Indicators of Compromise
Malicious Domains
| Domain | Usage |
|---|---|
cdncheck[.]it[.]com |
Cobalt Strike C2 |
self-dns[.]it[.]com |
System info upload |
safe-dns[.]it[.]com |
Metasploit downloader / CS C2 |
api[.]skycloudcenter[.]com |
Chrysalis C2 |
api[.]wiresguard[.]com |
Chrysalis C2 |
Malicious IP Addresses
| IP Address | Usage |
|---|---|
45[.]76[.]155[.]202 |
Malicious update server |
45[.]32[.]144[.]255 |
Malicious update server |
45[.]77[.]31[.]210 |
Cobalt Strike C2 |
95[.]179[.]213[.]0 |
Malicious update server |
61[.]4[.]102[.]97 |
Chrysalis C2 |
59[.]110[.]7[.]32 |
Cobalt Strike C2 |
124[.]222[.]137[.]114 |
Cobalt Strike C2 |
Infection Chain #1 — ProShow (DLL Sideloading)
This chain abuses an old vulnerability in the legitimate ProShow software. Malicious files are dropped to %AppData%\ProShow\:
| Path | Description |
|---|---|
%AppData%\ProShow\ProShow.exe |
Legitimate software (abused) |
%AppData%\ProShow\load |
Exploit payload — strong indicator |
%AppData%\ProShow\defscr |
Auxiliary file |
%AppData%\ProShow\if.dnt |
Auxiliary file |
Infection Chain #2 — Lua/Adobe (DLL Sideloading)
Uses a Lua interpreter to execute malicious shellcode. Files are dropped to %AppData%\Adobe\Scripts\:
| Path | Description |
|---|---|
%AppData%\Adobe\Scripts\script.exe |
Lua interpreter (abused) |
%AppData%\Adobe\Scripts\lua5.1.dll |
Lua library |
%AppData%\Adobe\Scripts\alien.dll |
Malicious DLL — strong indicator |
%AppData%\Adobe\Scripts\alien.ini |
Compiled Lua shellcode — strong indicator |
Note: The %AppData%\Adobe\Scripts\ path is a legitimate Adobe directory and may produce false positives.
Infection Chain #3 — Chrysalis Backdoor
Deploys a custom backdoor using DLL sideloading with a renamed Bitdefender executable:
| Path | Description |
|---|---|
%AppData%\Bluetooth\BluetoothService.exe |
Renamed Bitdefender tool |
%AppData%\Bluetooth\BluetoothService |
Encrypted shellcode (no extension) — strong indicator |
%AppData%\Bluetooth\log.dll |
Malicious sideloading DLL — strong indicator |
%ProgramData%\USOShared\svchost.exe |
Renamed TinyCC compiler |
%ProgramData%\USOShared\conf.c |
Metasploit shellcode — strong indicator |
Mutex
| Mutex Name | Associated Malware |
|---|---|
Global\Jdhfv_1.0.1 |
Chrysalis Backdoor |
Registry Persistence
Check for values in the following keys containing Bluetooth\BluetoothService.exe with -i or -k flags:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunHKLM\Software\Microsoft\Windows\CurrentVersion\Run
Usage
- Download
Invoke-NotepadPlusPlusTriage.ps1from the repository - Open PowerShell as Administrator
- Run the script:
Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process
.\Invoke-NotepadPlusPlusTriage.ps1
The script generates both JSON (for SIEM ingestion) and HTML (human-readable) reports.
References
- Notepad++ Official Statement
- Kaspersky Securelist — Notepad++ Supply Chain Attack
- Rapid7 — Chrysalis Backdoor Analysis
The script is provided as-is for incident response purposes under the MIT license.