Threat Intelligence Malware Analysis Supply Chain
Between June and December 2025, state-sponsored hackers compromised Notepad++ hosting infrastructure to selectively redirect update traffic and deploy the Chrysalis backdoor to targeted organizations — demonstrating how supply chain attacks exploit the trust placed in routine software updates.
SCYTHE · SCYTHE Threat Intelligence · April 2026 · 8 min read
Threat Actor
Lotus Blossom
Your IT team sees a Notepad++ update notification. It looks legitimate: proper branding, expected version numbers, familiar installer interface. They approve the deployment. Within minutes, persistent backdoor access has been established across your network through a sophisticated multi-stage attack that exploits Windows' own loading mechanisms. The software your teams trust most just became another security blind spot.
Key Insight
Supply chain attacks don't exploit software vulnerabilities — they exploit trust. Malicious updates bypass suspicion because they're doing exactly what security policies require.
The Lotus Blossom Campaign
Lotus Blossom (also tracked as Raspberry Typhoon and Lotus Panda) is a sophisticated state-sponsored threat group active since at least 2009, targeting government entities, defense contractors, telecommunications providers, and critical infrastructure across Southeast Asia and more recently Central America. What sets the Notepad++ campaign apart isn't just their technical capabilities; it's the six-month window they maintained access to compromised infrastructure while selectively targeting specific organizations.
Rather than targeting individual systems, Lotus Blossom invested resources in compromising the shared hosting infrastructure serving widely-deployed legitimate applications. The Notepad++ attack demonstrates their evolution from opportunistic exploitation to calculated supply chain manipulation, turning trusted software vendors into unwitting distribution channels for espionage operations.
The Attack
Their Step-By-Step Approach
And Why It Works
The Notepad++ maintainer's investigation revealed that attackers specifically targeted the Notepad++ domain with the goal of exploiting insufficient update verification controls in older versions. Here's how the attack unfolded:
Phase 1 — The Infrastructure Compromise
Attackers compromised the shared hosting server serving Notepad++ updates between June and December 2025. The persistence is what made this dangerous: even after server patches blocked direct access in September, they maintained credentials to internal services until December.
This allowed them to selectively redirect update traffic from targeted organizations to their malicious server at 95.179.213.0. Users saw familiar branding, expected version numbers, and professional installer interfaces. Nothing raised suspicion.
Phase 2 — The Silent Deployment
The malicious NSIS installer (update.exe) executes silently with no user interaction. It creates a directory at %AppData%\Roaming\Bluetooth and sets the HIDDEN attribute to avoid casual discovery.
Three components drop into this folder:
| File |
Purpose |
| BluetoothService.exe |
Renamed legitimate Bitdefender binary — used for DLL sideloading |
| log.dll |
Malicious loader with exports LogInit and LogWrite |
| BluetoothService |
Encrypted backdoor payload — no file extension |
To security tools, this looks like normal software deployment behavior.
Phase 3 — The Decryption Chain
BluetoothService.exe launches and loads log.dll from the same directory, exploiting Windows' DLL search order to hijack execution. This is classic DLL sideloading: a legitimate binary loading a malicious library.
The malicious DLL decrypts the backdoor using custom encryption, then employs sophisticated techniques to hide which Windows functions it's calling. Once decrypted, the Chrysalis backdoor executes directly in memory, leaving minimal forensic artifacts on disk.
Phase 4 — Command and Control
The Chrysalis backdoor establishes dual persistence through both a Windows service (BluetoothUserService) and registry run keys, using a mutex to prevent duplicate infections.
For command and control, it connects to api.skycloudcenter.com using a URL structure that mimics Deepseek AI chat endpoints (/a/chat/s/{GUID}). This makes the malicious traffic blend in with legitimate AI service usage.
The backdoor fingerprints the victim system and provides full remote access: interactive shell, file operations, process creation, and arbitrary command execution across 16 distinct commands.
Complete Attack Chain
| Phase |
Name |
Key Techniques |
| Phase 1 |
Infrastructure Compromise |
Shared hosting compromise │ Selective update redirection │ 6-month persistence │ Server 95.179.213.0 |
| Phase 2 |
Silent Deployment |
NSIS installer (update.exe) │ Hidden %AppData%\Roaming\Bluetooth │ 3-file drop │ Legitimate Bitdefender binary |
| Phase 3 |
Decryption Chain |
DLL sideloading via log.dll │ Custom decryption │ API hiding │ In-memory execution |
| Phase 4 |
Command & Control |
Dual persistence (service + registry) │ api.skycloudcenter.com │ Deepseek URL mimicry │ 16 C2 commands |
The Threat
Why Supply Chain Attacks Are Different
Exploiting Trust at Scale
Unlike traditional attacks that target individual vulnerabilities, supply chain compromises exploit the most fundamental aspect of organizational security: trust. The Lotus Blossom Notepad++ campaign demonstrates three compounding risks:
Extended Reach
A compromised update server can reach multiple organizations over extended periods. In this case, attackers maintained access for six months while delivering malware through channels security teams are trained to trust.
Trusted Vectors
Security teams actively encourage software updates for legitimate security reasons. Malicious updates bypass suspicion because they're doing exactly what security policies require.
Detection Difficulty
The attack uses techniques common in legitimate software, making detection difficult without significant false positives.
The technical sophistication serves the supply chain strategy. Each technique exploits behaviors security teams must allow for legitimate business software, making the attack chain nearly invisible within normal operations.
Your Action Plan
The Notepad++ maintainer noted that attackers specifically targeted the Notepad++ domain with the goal of exploiting insufficient update verification controls, maintaining infrastructure access for six months while selectively redirecting update traffic.
Indicators of Compromise — Network
| Type |
Value |
| C2 Domain |
api.skycloudcenter.com (61.4.102.97) |
| C2 URL Pattern |
/a/chat/s/{GUID} (mimics Deepseek AI endpoints) |
| Malicious Update Server |
95.179.213.0 |
Indicators of Compromise — Files & Directories
| Type |
Value |
| Directory |
%AppData%\Roaming\Bluetooth with HIDDEN attribute |
| Binary |
BluetoothService.exe (renamed legitimate Bitdefender Submission Wizard) |
| Loader |
log.dll with exports LogInit and LogWrite |
| Encrypted Payload |
BluetoothService (no extension) |
Indicators of Compromise — Persistence
| Type |
Value |
| Windows Service |
BluetoothUserService |
| Mutex |
Global\Jdhfv_1.0.1 |
| Registry Run Keys |
Pointing to %AppData%\Roaming\Bluetooth\BluetoothService.exe |
General Detection Patterns
Detection Guidance
• Executables in %AppData%\Roaming creating Windows services
• System DLLs (log.dll, version.dll, winmm.dll) loaded from application directories instead of System32
• Network connections to domains mimicking legitimate AI/cloud services from user-directory executables
The Bottom Line
The Lotus Blossom Notepad++ campaign demonstrates that supply chain attacks remain a persistent and evolving threat to organizations. The question isn't whether your trusted software could be compromised; it's whether you can detect it when it happens.
Your security posture must evolve beyond trusting vendor relationships. Every software update is now a potential attack vector, and the most dangerous threats will arrive through channels you're trained to trust.
SCYTHE Emulation Available
SCYTHE customers can access the Lotus Blossom Notepad++ supply chain attack emulation package and detection rules in the Knowledge Base to safely test your defenses and enhance incident response readiness.
Do you think you can detect a supply chain compromise? Try it with SCYTHE — book your demo here.
Further Resources
Threat Intelligence & Analysis
• The Chrysalis Backdoor: A Deep Dive into Lotus Blossom's toolkit — Rapid7 Labs
• Notepad++ Supply Chain Attack Technical Analysis — Kaspersky
• Notepad++ Hijacked by State-Sponsored Hackers — Official Incident Report from Notepad++ Maintainer
SCYTHE Threat Intelligence · SCYTHE Platform · April 2026
For Educational & Research Purposes Only
