What to Know About the Notepad++ Supply-Chain Attack
Blog
What to Know About the Notepad++ Supply-Chain Attack
In this post we examine the mechanics of the CVE-2025-15556 supply-chain attack and provide actionable steps to secure your environment.
Table Of Contents
The cybersecurity community is still grappling with a sobering realization: one of the most ubiquitous tools in the developer’s toolkit, Notepad++, was hiding a critical vulnerability for over six months. Being so deeply embedded in daily workflows, many organizations did not realize they were vulnerable until a recent security update pulled back the curtain on a sophisticated Chinese state-sponsored campaign, dubbed “Lotus Blossom.”
Investigations have confirmed that the issue wasn’t just a coding error, it was a compromise at the hosting provider level. This means that for much of 2025, even organizations that followed best practices were still potentially open to backdoors from Chinese advanced persistent threat (APT) groups. Here is what you need to know to secure your environment.
Understanding the Notepad++ Vulnerability (CVE-2025-15556)
The vulnerability, tracked as CVE-2025-15556 (VulnDB ID: 430205), exploits a critical flaw in the Notepad++ updater component, WinGUP. In versions prior to the February 2026 patch, the updater failed to verify the file integrity signatures of downloaded installers.
By exploiting this lack of verification, threat actors are able to:
- Intercept legitimate update requests originating from WinGUp servers
- Redirect traffic to malicious servers via Man-in-the-Middle (MitM) attacks or DNS cache poisoning
- Deliver trojanized executables (disguised as update.exe) that appeared to be legitimate software patches
Leveraging this vulnerability, attackers have gained a persistent presence in high-value sectors. According to reports from Kaspersky, the impact has spanned government and telecommunications, critical infrastructure, and financial services.
How CVE-2025-15556 Works
The Lotus Blossom campaign was executed in three attack chains, between July and October 2025. Each phase evolved to evade detection by changing file sizes, IP addresses, and delivery methods.
| Phase | Timeline (2025) | Execution Method | Payload |
|---|---|---|---|
| Chain #1 | July – August | 1MB NSIS installer (update.exe) | Multi-stage attack launching a Cobalt Strike beacon via ProShow.exe. |
| Chain #2 | September | 140KB NSIS installer (update.exe) | Rotated C2 URLs to maintain stealth while dropping a Cobalt Strike beacon. |
| Chain #3 | October | Backdoor Deployment | Dropped BluetoothService.exe, log.DLL, and shellcode to establish the Chrysalis backdoor. |
Mapping CVE-2025-15556 to MITRE ATT&CK
Flashpoint has mapped Lotus Blossom TTPs (tactics, tools, and procedures) to the MITRE ATT&CK framework. Flashpoint analysts have identified the following techniques:
Execution
| Technique Title | ID | Recommendations |
|---|---|---|
| User Execution: Malicious File | T1204.002 | M1040: Behavior Prevention on Endpoint M1038: Execution Prevention M1017: User Training |
| Native API | T1106 | M1040: Behavior Prevention on Endpoint M1038: Execution Prevention |
| Command and Scripting Interpreter: Windows Command Shell | T1059.003 | M1038: Execution Prevention |
Persistence
| Technique Title | ID | Recommendations |
|---|---|---|
| Hijack Execution Flow: DLL | T1574.002 | M1013: Application Developer Guidance M1047: Audit M1038: Execution Prevention M1044: Restrict Library Loading M1051: Update Software |
| Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | T1547.001 | *MITRE currently does not list any mitigation guidance to combat this attack technique. |
| Create or Modify System Process: Windows Service | T1543.003 | M1047: Audit M1040: Behavior Prevention on Endpoint M1045: Code Signing M1028: Operating System Configuration M1018: User Account Management |
Defense Evasion
| Technique Title | ID | Recommendations |
|---|---|---|
| Masquerading | T1036 | M1049: Antivirus/Antimalware M1047: Audit M1040: Behavior Prevention on Endpoint M1045: Code Signing M1038: Execution Prevention M1022: Restrict File and Directory Permissions M1018: User Account Management M1017: User Training |
| Obfuscated Files or Information | T1027 | M1049: Antivirus/Antimalware M1047: Audit M1040: Behavior Prevention on Endpoint M1017: User Training |
| Obfuscated Files or Information: Dynamic API Resolution | T1027.007 | *MITRE currently does not list any mitigation guidance to combat this attack technique. |
| Deobfuscate/Decode Files or Information | T1140 | *MITRE currently does not list any mitigation guidance to combat this attack technique. |
| Process Injection | T1055 | M1040: Behavior Prevention on Endpoint M1026: Privileged Account Management |
| Reflective Code Loading | T1620 | *MITRE currently does not list any mitigation guidance to combat this attack technique. |
| Execution Guardrails: Mutual Exclusion | T1480.002 | M1055: Do Not Mitigate |
| Indicator Removal: File Deletion | T1070.004 | *MITRE currently does not list any mitigation guidance to combat this attack technique. |
Discovery
| Technique Title | ID | Recommendations |
|---|---|---|
| File and Directory Discovery | T1083 | *MITRE currently does not list any mitigation guidance to combat this attack technique. |
| Ingress Tool Transfer | T1105 | M1031: Network Intrusion Prevention |
Collection
Command and Control
| Technique Title | ID | Recommendations |
|---|---|---|
| Application Layer Protocol: Web Protocols | T1071.001 | M1031: Network Intrusion Prevention |
| Encrypted Channel | T1573 | M1031: Network Intrusion Prevention M1020: SSL/TLS Inspection |
Exfiltration
| Technique Title | ID | Recommendations |
|---|---|---|
| Exfiltration Over C2 Channel | T1041 | M1057: Data Loss Prevention M1031: Network Intrusion Prevention |
Protecting Against CVE-2025-15556
Proactive defense requires not only reactive patching of CVE-2025-15556, but also active threat hunting using the TTPs identified by Flashpoint analysts. Flashpoint recommends the following actions:
- Immediate Update: Ensure all instances of Notepad ++ are updated to v8.9.1 or higher immediately. This version enforces the signature verification that was missing in previous releases.
- Audit System Paths: Scan for malicious file paths used for persistence.
- Network Defense: Monitor and block traffic to malicious domains.
- Endpoint Hardening: Implement Behavior Prevention on Endpoints (M1040) and Audit (M1047) to detect unauthorized registry run keys or new system services.
Outpace Threat Actors Using Flashpoint
Software trust is only as strong as the infrastructure behind it. As organizations respond to these recent updates, having best-in-class vulnerability intelligence and direct visibility into threat actor TTPs is the best defense.
Leveraging Flashpoint vulnerability intelligence, organizations can move beyond CVE and NVD, by gaining deeper technical analysis and MITRE ATT&CK mapping to defend against sophisticated threat actors. Request a demo to learn more.
Begin your free trial today.
The post What to Know About the Notepad++ Supply-Chain Attack appeared first on Flashpoint.
*** This is a Security Bloggers Network syndicated blog from Threat Intelligence Blog | Flashpoint authored by Flashpoint. Read the original post at: https://flashpoint.io/blog/what-to-know-about-the-notepad-supply-chain-attack/
