Advanced DNS Security
Cortex
Managed Threat Hunting
Executive Summary
Between June and December 2025, the official hosting infrastructure for the text editor Notepad++ was compromised by a state-sponsored threat group known as Lotus Blossom. The attackers breached the shared hosting provider’s environment.
This allowed the attackers to intercept and redirect traffic destined for the Notepad++ update server. This infrastructure-level hijack enabled the attackers to selectively target specific users. The targets were primarily located in Southeast Asia across government, telecommunications and critical infrastructure sectors. Attackers served these targets malicious update manifests instead of legitimate software updates.
We’ve identified additional unreported infrastructure, which is linked to this campaign. We’ve observed two chains of infection including a Lua script injection variant that resulted in the delivery of Cobalt Strike beacon malware as well as DLL side-loading to deliver a Chrysalis backdoor. Unit 42 also found that this threat activity is targeting more sectors and more regions than previously reported.
This campaign also affected the following sectors in South America, the U.S., Europe and Southeast Asia:
- Cloud hosting
- Energy
- Financial
- Government
- Manufacturing
- Software development
Notepad++ is a lightweight, open-source code editor and text replacement utility. This tool is widely favored for its speed, extensive plugin ecosystem and unique ability to handle massive data files while persisting sessions that users have not yet saved.
In enterprise environments, Notepad++ often serves as a foundational instrument for system administrators, network engineers and DevOps personnel. These personnel commonly use this tool to modify server configurations, parse heavy system logs and audit code on secure jump boxes where heavier applications are impractical.
This specific user demographic makes Notepad++ a strategically critical target for threat actors. Compromising this single tool allows attackers to effectively bypass perimeter defenses and piggyback into the sessions of the most privileged users in the organization, gaining implicit administrative access to the network's core infrastructure.
Palo Alto Networks customers receive protections from and mitigations for the activity discussed in this article in the following ways:
- Advanced URL Filtering and Advanced DNS Security identify known URLs and domains associated with this activity as malicious
- Advanced WildFire machine-learning models and analysis techniques have been reviewed and updated in light of the indicators shared in this research
- Cortex Cloud helps detect and prevent the malicious operations or configuration alterations or exploitations discussed within this article
- Cortex XDR and XSIAM by employing the Malware Prevention Engine
- Next-Generation Firewall with the Advanced Threat Prevention is designed to defend networks against both commodity threats and targeted threats
The Unit 42 Incident Response team can also be engaged to help with a compromise or to provide a proactive assessment to lower your risk.
| Related Unit 42 Topics | DLL Sideloading, Backdoors, Supply Chain, Cobalt Strike |
Details of the Attack on Notepad++
This supply chain attack relied on exploiting insufficient verification controls in older versions of the Notepad++ updater, WinGUp. This exploitation allowed the threat group to redirect traffic to attacker-controlled servers.
When targeted victims attempted to update their software, they downloaded a malicious NSIS installer. This installer — often named update.exe — initiated a complex infection chain. This chain used DLL sideloading techniques and misused a legitimate Bitdefender component (BluetoothService.exe) to load a malicious library (log.dll) that decrypted and executed a custom backdoor. In another infection chain, attackers utilized an NSIS installer to execute a command to run a malicious Lua script to load Cobalt Strike Beacon.
This malware, called Chrysalis, employed advanced evasion techniques. These included:
- Using Microsoft Warbird code protection framework
- Custom API hashing to reduce antivirus detection
- Establishing persistent remote control over infected systems
Additional Exploitation Activity in This Campaign
Unit 42 observed evidence of two separate attack sequences:
- One in which a malicious NSIS installer drops a compiled Lua script containing an installer to download and execute a Cobalt Strike Beacon payload
- One in which attackers used DLL side-loading to inject the Chrysalis backdoor into memory
We observed additional activity dating between mid-August and November 2025 that was consistent with this exploitation activity. In an August incident, we observed communication with a command-and-control (C2) IP address 45.76.155[.]202. After days of C2 beacon traffic to this IP address, attackers shifted to a second C2 server at 45.77.31[.]210, with communication lasting until September.
In cases between September and November 2025, we observed activity consistent with outbound connections to a C2 server. These were followed by subsequent download requests for update.exe that are consistent with the reported Chrysalis backdoor. In some cases, download attempts were made to an IP address, whereas others were made to domains. Successful beacons to malicious servers occurred within seconds of successful download of the malicious payload and continued for an unspecified amount of time.
In September and October 2025, we observed a Lua script injection variant deploying malicious Lua scripts to inject shellcode. This attack used the EnumWindowStationsW API and resulted in the delivery of Cobalt Strike beacon malware. In this case, the download originated from:
- 45.76.155[.]202/update/update.exe
Separately, we also observed a Bluetooth DLL sideloading variant in the same case. This Lua variant uses Bluetooth service DLL sideloading techniques to deploy the Chrysalis backdoor. Download attempts for this variant were made from a different malicious server:
- 45.32.144[.]255/update/update.exe
Interim Guidance
Notepad++ recommends the following:
- Downloading version 8.9.1, which includes the relevant security enhancement
- Running the installer to update your Notepad++ manually
According to Notepad++, they have migrated their website to a new hosting provider with significantly stronger security practices.
Within Notepad++ itself, they enhanced the WinGup updater in v8.8.9 to verify both the certificate and the signature of the downloaded installer.
Additionally, they also note:
- The XML returned by the update server is now signed (XMLDSig)
- Certificate and signature verification will be enforced starting with the upcoming version 8.9.2, which they expect to release in about a month
Unit 42 Managed Threat Hunting Queries
The Unit 42 Managed Threat Hunting team continues to track any signs of misuse or anomalous activity, using Cortex XDR and the XQL queries below. Cortex XDR customers can also use these XQL queries to assist with their investigations or hunting.
As the majority of activity likely occurred prior to December 2, we recommend reviewing data retention limits to determine if these queries will be effective in your environment. If available in your environment, you may consider using "cold storage" queries (cold_dataset = xdr_data) to query data beyond hot retention limits. Please note that running queries against cold storage will consume compute units.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
// Name: DLL sideloading via BYO application // Description: Identifies renamed Bitdefender utility loading a log.dll file // MITRE TTP ID: T1574.001 config case_sensitive = false | dataset = xdr_data | fields actor_process_signature_vendor, actor_process_signature_product, action_module_path, actor_process_image_path, actor_process_image_sha256, agent_os_type, event_type, event_id, agent_hostname, _time, actor_process_image_name | filter event_type = ENUM.LOAD_IMAGE and agent_os_type = ENUM.AGENT_OS_WINDOWS | filter actor_process_signature_vendor contains "Bitdefender SRL" and action_module_path contains "log.dll" | filter actor_process_image_path not contains "Program Files\Bitdefender" | filter not actor_process_image_name in ("eps.rmm64.exe", "downloader.exe", "installer.exe", "epconsole.exe", "EPHost.exe", "epintegrationservice.exe", "EPPowerConsole.exe", "epprotectedservice.exe", "DiscoverySrv.exe", "epsecurityservice.exe", "EPSecurityService.exe", "epupdateservice.exe", "testinitsigs.exe", "EPHost.Integrity.exe", "WatchDog.exe", "ProductAgentService.exe", "EPLowPrivilegeWorker.exe", "Product.Configuration.Tool.exe", "eps.rmm.exe") |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
// Name: Chrysalis Mutex // Description: Identifies a Mutex known to be related to the chrysalis backdoor malware // MITRE TTP ID: T1480.002 config case_sensitive = false | dataset = xdr_data | fields _time, agent_hostname, actor_effective_username, actor_process_image_name, actor_process_image_path, actor_process_command_line, event_type, event_sub_type, action_syscall_string_params | filter event_type = ENUM.SYSTEM_CALL and event_sub_type = ENUM.SYSTEM_CALL_NT_CREATE_MUTANT | alter mutex = json_extract_scalar(action_syscall_string_params, "$.1") | filter mutex = "Global\\Jdhfv_1.0.1" |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
// Name: GUP.exe Writing Unusual Files to Temp Folder // Description: Detects cases where the Notepad++ updater (gup.exe) writes files to a temp folder that that deviate from the normal and expected. // MITRE TTP ID: T1036.005 config case_sensitive = false | dataset = xdr_data | fields _time, agent_hostname, event_type, event_sub_type, action_file_name, action_file_path, actor_effective_username, action_file_extension, action_file_previous_file_path, action_file_sha256, action_file_size, actor_process_image_name, actor_process_image_path, actor_process_command_line, actor_process_image_sha256, causality_actor_process_image_name, causality_actor_process_image_path, os_actor_primary_username, os_actor_process_command_line, os_actor_process_image_name, os_actor_process_image_path, agent_os_type | filter event_type = ENUM.FILE and event_sub_type = ENUM.FILE_WRITE | filter lowercase(actor_process_image_name) = "gup.exe" and action_file_sha256 != null | filter lowercase(actor_process_command_line) !~= "((\\notepad\+\+(?:_?x?\d+?)??|\\nppp?[\.\d]*?(?:portable)??(?:\.x64)??).*?\\plugins|-ihttps:\/\/notepad-plus-plus\.org\/update\/getdownloadurl\.php)" and lowercase(action_file_path) ~= "(\\appdata\\local\\temp\\|\\windows\\temp)" and lowercase(action_file_name) !~= "(npp[\.\d]+?installer)" | sort desc _time |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
// Name: GUP.exe Downloading Improperly Signed Installer // MITRE TTP ID: T1036.001 config case_sensitive = false | dataset = xdr_data | fields _time, agent_hostname, event_type, event_sub_type, action_process_username, action_process_user_sid, action_process_image_name, action_process_image_path, action_process_image_command_line, action_process_image_sha256, action_process_os_pid, action_process_cwd, action_process_file_info, action_process_file_size, action_process_file_web_mark, action_process_signature_vendor, action_process_signature_product, action_process_signature_status, actor_effective_username, actor_effective_user_sid, actor_process_image_name, actor_process_image_path, actor_process_command_line, actor_process_signature_vendor, actor_process_signature_product, actor_process_signature_status, causality_actor_primary_username, causality_actor_process_image_name, causality_actor_process_image_path, causality_actor_process_command_line, os_actor_primary_username, os_actor_process_image_name, os_actor_process_image_path, os_actor_process_image_command_line, os_actor_process_image_sha256, action_process_instance_id, actor_process_instance_id, causality_actor_process_instance_id, agent_os_type, agent_id | filter event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_START and _product = "XDR agent" and _vendor = "PANW" | filter lowercase(actor_process_image_name) = "gup.exe" and actor_process_signature_status not in (null, ENUM.UNSUPPORTED, ENUM.FAILED_TO_OBTAIN ) and action_process_signature_status not in (null, ENUM.UNSUPPORTED, ENUM.FAILED_TO_OBTAIN ) and action_process_image_sha256 not in ( "71431fa7b66f8132453e18e3a5f8ef0af3ca079a7793f828df06fdb5d7bd915d", "2dd5473736ef51e4340cae005e3fc8cdf0e42ec649bc6ed186484a79be409928", "a19aa1cd7ecb9ca3f1fd0e118fffd0d673fba404ced8c39c2e210a63b70f9c15", "e22abc9af328d063e652f0829819124a6a748c224bc8b10f98473f87cda2c0cd", "61c3077b989e272117167c90fc35e7f06bea4f992f3395b40ccee083d7258082", "49d2531893b09cb6a8e3429ca0a734e871a2d96fa2575c0eec3229d383fa233a", "32aa12d3c9521477a5a1e086e400ec0f77f8a97a8190806a0f1953688b883cfb", "8117c82a3821965d92ee3f9f3ae10efcd602bd4b6e52a2fe957d70aafe479744", "05abc57952974d08feafa399d6fdb37945a3fd0a10f37833dd837a5788e421d5", "c6d1e5aacbf69aa18df4caf1346fd69638491a5ad0085729bae91c662d1c62bb", "e1df78704001bba1a3d343f62a1242a4484ff6ad269170714263c03b802eb0b1", "7094a07167648628e47249a16d9d6db922e5aa1255ac4322a2e4900d233372dd" ) | filter lowercase(action_process_image_name) ~= "(npp[\.\d]+?installer)" | dedup agent_id by desc _time | filter action_process_signature_status != ENUM.SIGNED or lowercase(action_process_signature_vendor) != "notepad++" | sort desc _time |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
// Name: GUP.exe Spawning Unusual Subprocesses // Description: Detects cases where the Notepad++ updater (gup.exe) spawns child processes that deviate from the normal and expected. // MITRE TTP ID: T1202 config case_sensitive = false | dataset = xdr_data | fields _time, agent_hostname, event_type, event_sub_type, action_process_username, action_process_user_sid, action_process_image_name, action_process_image_path, action_process_image_command_line, action_process_image_sha256, action_process_os_pid, action_process_cwd, action_process_file_info, action_process_file_size, action_process_file_web_mark, action_process_signature_vendor, action_process_signature_product, action_process_signature_status, actor_effective_username, actor_effective_user_sid, actor_process_image_name, actor_process_image_path, actor_process_command_line, actor_process_signature_vendor, actor_process_signature_product, actor_process_signature_status, causality_actor_primary_username, causality_actor_process_image_name, causality_actor_process_image_path, causality_actor_process_command_line, os_actor_primary_username, os_actor_process_image_name, os_actor_process_image_path, os_actor_process_image_command_line, os_actor_process_image_sha256, action_process_instance_id, actor_process_instance_id, causality_actor_process_instance_id, agent_os_type, agent_id | filter event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_START | filter lowercase(actor_process_image_name) = "gup.exe" | filter lowercase(action_process_image_name) !~= "(npp[\.\d]+?installer|consent\.exe|explorer\.exe|werfault\.exe|smartscreen\.exe|adminbyrequest\.exe|openwith\.exe)" and lowercase(action_process_image_command_line) !~= "(https:\/\/notepad-plus-plus\.org\/|https:\/\/npp-user-manual\.org\/)" and lowercase(actor_process_command_line) !~= "(\\notepad\+\+\\plugins|https:\/\/notepad-plus-plus\.org\/)" | sort desc _time |
Conclusion
This campaign marks a notable evolution in the operational tradecraft of threat actors of this type, representing a pivot from broad infrastructure pre-positioning to highly targeted “soft” supply chain interdiction. Recent campaigns from groups like Volt Typhoon and Salt Typhoon have focused primarily on compromising critical infrastructure backbones and edge devices, relying on living-off-the-land techniques and minimal malware. This operation instead illuminates a distinct strategic priority of focusing on administrative keyholders.
Hijacking the traffic flow of a trusted utility rather than injecting code into the software build pipeline allowed the threat actors to weaponize their delivery mechanism without alerting the vendor. This adversary-in-the-middle (AitM) capability allowed for dynamic fingerprinting of incoming update requests, enabling for highly selective filtering of priority targets.
This campaign is not focused on disruption, but on long-term valuable intelligence. This is illustrated by the combination of the threat actor’s selective victimology — focused on system administrators and developers in many geopolitically strategic regions — and their choice to use a lightweight backdoor with a low-profile.
Palo Alto Networks has shared our findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.
Palo Alto Networks customers are better protected by our products, as listed below. We will update this threat brief as more relevant information becomes available.
Palo Alto Networks Product Protections
Palo Alto Networks customers can leverage a variety of product protections and updates to identify and defend against this threat.
If you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:
- North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
- UK: +44.20.3743.3660
- Europe and Middle East: +31.20.299.3130
- Asia: +65.6983.8730
- Japan: +81.50.1790.0200
- Australia: +61.2.4062.7950
- India: 000 800 050 45107
- South Korea: +82.080.467.8774
Advanced WildFire
Advanced WildFire machine-learning models and analysis techniques have been reviewed and updated in light of the indicators shared in this research.
Next-Generation Firewalls With Advanced Threat Prevention
Next-Generation Firewall with the Advanced Threat Prevention is designed to defend networks against both commodity threats and targeted threats.
Cloud-Delivered Security Services for the Next-Generation Firewall
Advanced URL Filtering and Advanced DNS Security identify known URLs and domains associated with this activity as malicious.
Cortex XDR and XSIAM
Cortex XDR and XSIAM help to prevent the threats described in this article by employing the Malware Prevention Engine. This approach combines several layers of protection, including Advanced WildFire, Behavioral Threat Protection and the Local Analysis module, to prevent both known and unknown malware from causing harm to endpoints.
Cortex Cloud
Organizations using Cortex Cloud, such as those within the cloud hosting industry which were actively targeted during this campaign, are better protected from the downloading and execution of the malware mentioned within this article through the proper placement of Cortex Cloud XDR endpoint agent and serverless agents within a cloud environment.
Designed to protect a cloud’s posture and runtime operations against these threats, Cortex Cloud helps detect and prevent the malicious operations or configuration alterations or exploitations discussed within this article.
Indicators of Compromise
- 1f6d28370f4c2b13f3967b38f67f77eee7f5fba9e7743b6c66a8feb18ae8f33e
- a3cf1c86731703043b3614e085b9c8c224d4125370f420ad031ad63c14d6c3ec
- a511be5164dc1122fb5a7daa3eef9467e43d8458425b15a640235796006590c9
- skycloudcenter[.]com
- self-dns[.]it[.]com
- safe-dns[.]it[.]com
- cdncheck[.]it[.]com
- 95[.]179[.]213[.]0
- 45[.]76[.]155[.]202
- 45[.]77[.]31[.]210
- 61[.]4[.]102[.]97
- 59[.]110[.]7[.]32
- 95[.]179[.]213[.]0/update/AutoUpdater.exe
- 95[.]179[.]213[.]0/update/Upgrade.exe
- 45[.]32[.]144[.]255/update/update.exe
- 45[.]76[.]155[.]202/update/update.exe
- 59[.]110[.]7[.]32/dpixel
- self-dns[.]it[.]com/help/Get-Start
- self-dns[.]it[.]com/resolve
- self-dns[.]it[.]com/dns-query
- safe-dns[.]it[.]com/help/Get-Start
- safe-dns[.]it[.]com/resolve
- safe-dns[.]it[.]com/dns-query
Table of Contents
Related Malware Resources
Threat Research
Threat Actor Groups
High Profile Threats
Get updates from Unit 42 