Notepad++ Supply Chain Attack: Details, Targets, and IoCs Revealed
▼ Summary
– The Notepad++ update mechanism was hijacked by Lotus Blossom, a Chinese state-sponsored group targeting specific organizations for espionage.
– Attackers used sophisticated methods, including a custom backdoor called Chrysalis and abused legitimate software like Bitdefender’s tool for DLL sideloading.
– Multiple unique execution chains were observed, delivering payloads like Cobalt Strike Beacon through compromised installers and exploits.
– The campaign was highly targeted, focusing on entities in Vietnam, El Salvador, Australia, and the Philippines over a four-month period.
– Notepad++ has since hardened its updater security and migrated its website to prevent future similar attacks.
A recent and sophisticated supply chain attack has been linked to the Notepad++ update mechanism, with security researchers attributing the campaign to a known Chinese state-sponsored threat actor. The group, tracked as Lotus Blossom or Billbug, is recognized for conducting espionage operations, primarily against entities across Southeast Asia. This incident highlights the ongoing risk posed by software supply chain compromises, where attackers infiltrate trusted distribution channels to deliver malware to a select set of high-value targets.
According to detailed analyses, the attackers focused on a narrow range of victims. Telemetry data indicates compromised systems belonged to individuals in Vietnam, El Salvador, and Australia. The campaign also successfully breached a government body in the Philippines, a financial institution in El Salvador, and an IT services company based in Vietnam. This precise targeting aligns with the group’s historical focus on intelligence gathering.
The technical execution of the attack involved multiple, distinct chains. In one method, users downloaded a malicious file masquerading as a software update. This file was actually a NSIS installer that sideloaded a malicious DLL. This DLL, in turn, decrypted and injected a sophisticated backdoor, dubbed “Chrysalis,” into a legitimate system process. Researchers described Chrysalis as a feature-rich, permanent backdoor with advanced obfuscation techniques, suggesting it is a well-maintained tool developed over a significant period.
A separate execution chain also began with a malicious NSIS installer. This installer first sent a heartbeat signal with system details to the attackers’ command servers. It then deployed a vulnerable version of legitimate ProShow software, which was exploited to run a payload. This exploit led to the decryption of a downloader, which ultimately fetched a Cobalt Strike Beacon to establish persistent command and control.
Investigators discovered that the attackers constantly evolved their tactics over a four-month period. They rotated command and control servers, downloaders, and final payloads to evade detection. This dynamic approach resulted in numerous unique infection paths, demonstrating a high degree of operational flexibility and resources dedicated to the campaign.
For most users of the popular text editor, the risk from this incident appears low. The attack was highly targeted, not a broad-based compromise. However, security teams are advised to review shared indicators of compromise to check for any signs of infiltration within their networks. General remediation guidance includes ensuring systems are fully patched and monitoring for anomalous network traffic associated with the identified malicious infrastructure.
In response to the breach, the maintainer of Notepad++ has implemented significant security upgrades. The software’s update mechanism now performs stricter verification of digital certificates and signatures for any downloaded installers. Furthermore, the project’s official website has been migrated to a new hosting provider with enhanced security measures to prevent similar hijacking attempts in the future.
(Source: HelpNet Security)
