For several months, Notepad++ was used to disseminate malware.
Its developer confirmed this week. In broad terms, the compromise of the hosting infrastructure enabled the distribution of malicious updates.
A timeline of events begins to take shape. Three phases emerge, each defined by its own execution chain. Among the targets are a government entity in the Philippines, a financial organization in El Salvador, and an IT service provider in Vietnam.
Phase 1: A vulnerability in ProShow exploited
The first phase stretched from late July to early August.
Intercepting and altering the traffic of Notepad++’s update manager triggered the download and execution of an NSIS installer of about 1 MB. When launched, it created a directory and a text file inside it, wrote system information into it, uploaded it to temp.sh, and sent the URL to a C2 server.
A downloader then dropped several files in the same folder. Including a legitimate version of ProShow… plagued by a vulnerability that allowed a shellcode to be launched.
This code decrypted a downloader based on Metasploit that retrieved and launched a Cobalt Strike implant. The latter then communicated with another C2.
Between late July and early August, a few elements changed. Essentially the URLs of the Cobalt Strike implant and the associated C2.
Phase 2: Transition to the Lua interpreter
The second phase began in mid-September and ended by the end of the month.
The malicious Notepad++ update remained hosted on the same server. It was still an NSIS installer, but lighter (about 140 KB). The collection of system information followed the same pattern as in the first phase.
From then on, things shifted. ProShow was out, replaced by files related to the Lua interpreter. Including an executable that launched a script located in an .ini file.
This script placed, in executable memory, shellcode launched via the API function EnumWindowsStationsW. We then returned to the chain of “Metasploit + Cobalt Strike,” with URLs similar to those seen earlier.
Toward the end of the period, update files with different hashes appeared. And the system information collection was divided into several commands.
Phase 3: sideload of a DLL into a Bitdefender executable
The third phase covered October.
On this occasion, the server hosting the malicious updates changed. We remained on NSIS files, but without any system information capture. The loading of the shellcode was this time achieved through DLL side-loading into an executable: BluetoothService.exe. Behind this name lay a legitimate version of Bitdefender Submission Wizard.
The shellcode was decrypted with an embedded routine. It culminated in a backdoor. Rapid7 dubbed it Chrysalis, referencing its multiple layers (envelope encryption, on-the-fly target-name construction, API hashing, URLs formatted like DeepSeek endpoints) that complicate detecting its actions.
One of the loaders exploits an undocumented syscall associated with Microsoft Warbird, a code-obfuscation framework. There is no direct loading of Cobalt Strike. Yet the implant was found on an infected machine, also downloaded via a Metasploit downloader, using URLs similar to those seen in the first two phases.
Similarities with a prior analysis suggest attributing this third phase—and potentially the entire campaign—to the Lotus Blossom operation, a China-linked modus operandi. Active since at least 2009, it has conducted espionage in Southeast Asia and more recently in Central America, focusing on governments, telecoms, aviation, media, and critical infrastructure.
