What to Know About the Notepad++ Supply-Chain Attack
Blogs
Blog
In this post we examine the mechanics of the CVE-2025-15556 supply-chain attack and provide actionable steps to secure your environment.
What to Know About the Notepad++ Supply-Chain Attack
Blogs
Blog
In this post we examine the mechanics of the CVE-2025-15556 supply-chain attack and provide actionable steps to secure your environment.
SHARE THIS:
February 26, 2026
Table Of Contents
The cybersecurity community is still grappling with a sobering realization: one of the most ubiquitous tools in the developer’s toolkit, Notepad++, was hiding a critical vulnerability for over six months. Being so deeply embedded in daily workflows, many organizations did not realize they were vulnerable until a recent security update pulled back the curtain on a sophisticated Chinese state-sponsored campaign, dubbed “Lotus Blossom.”
Investigations have confirmed that the issue wasn’t just a coding error, it was a compromise at the hosting provider level. This means that for much of 2025, even organizations that followed best practices were still potentially open to backdoors from Chinese advanced persistent threat (APT) groups. Here is what you need to know to secure your environment.
Understanding the Notepad++ Vulnerability (CVE-2025-15556)
The vulnerability, tracked as CVE-2025-15556 (VulnDB ID: 430205), exploits a critical flaw in the Notepad++ updater component, WinGUP. In versions prior to the February 2026 patch, the updater failed to verify the file integrity signatures of downloaded installers.
By exploiting this lack of verification, threat actors are able to:
Intercept legitimate update requests originating from WinGUp servers
Redirect traffic to malicious servers via Man-in-the-Middle (MitM) attacks or DNS cache poisoning
Deliver trojanized executables (disguised as update.exe) that appeared to be legitimate software patches
Leveraging this vulnerability, attackers have gained a persistent presence in high-value sectors. According to reports from Kaspersky, the impact has spanned government and telecommunications, critical infrastructure, and financial services.
How CVE-2025-15556 Works
The Lotus Blossom campaign was executed in three attack chains, between July and October 2025. Each phase evolved to evade detection by changing file sizes, IP addresses, and delivery methods.
Phase
Timeline (2025)
Execution Method
Payload
Chain #1
July – August
1MB NSIS installer (update.exe)
Multi-stage attack launching a Cobalt Strike beacon via ProShow.exe.
Chain #2
September
140KB NSIS installer (update.exe)
Rotated C2 URLs to maintain stealth while dropping a Cobalt Strike beacon.
Chain #3
October
Backdoor Deployment
Dropped BluetoothService.exe, log.DLL, and shellcode to establish the Chrysalis backdoor.
Mapping CVE-2025-15556 to MITRE ATT&CK
Flashpoint has mapped Lotus Blossom TTPs (tactics, tools, and procedures) to the MITRE ATT&CK framework. Flashpoint analysts have identified the following techniques:
Execution
Technique Title
ID
Recommendations
User Execution: Malicious File
T1204.002
M1040: Behavior Prevention on EndpointM1038: Execution PreventionM1017: User Training
Native API
T1106
M1040: Behavior Prevention on EndpointM1038: Execution Prevention
Command and Scripting Interpreter: Windows Command Shell
T1059.003
M1038: Execution Prevention
Persistence
Technique Title
ID
Recommendations
Hijack Execution Flow: DLL
T1574.002
M1013: Application Developer GuidanceM1047: AuditM1038: Execution PreventionM1044: Restrict Library LoadingM1051: Update Software
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1547.001
*MITRE currently does not list any mitigation guidance to combat this attack technique.
Create or Modify System Process: Windows Service
T1543.003
M1047: AuditM1040: Behavior Prevention on EndpointM1045: Code SigningM1028: Operating System ConfigurationM1018: User Account Management
Defense Evasion
Technique Title
ID
Recommendations
Masquerading
T1036
M1049: Antivirus/AntimalwareM1047: AuditM1040: Behavior Prevention on EndpointM1045: Code SigningM1038: Execution PreventionM1022: Restrict File and Directory PermissionsM1018: User Account ManagementM1017: User Training
Obfuscated Files or Information
T1027
M1049: Antivirus/AntimalwareM1047: AuditM1040: Behavior Prevention on EndpointM1017: User Training
Obfuscated Files or Information: Dynamic API Resolution
T1027.007
*MITRE currently does not list any mitigation guidance to combat this attack technique.
Deobfuscate/Decode Files or Information
T1140
*MITRE currently does not list any mitigation guidance to combat this attack technique.
Process Injection
T1055
M1040: Behavior Prevention on EndpointM1026: Privileged Account Management
Reflective Code Loading
T1620
*MITRE currently does not list any mitigation guidance to combat this attack technique.
Execution Guardrails: Mutual Exclusion
T1480.002
M1055: Do Not Mitigate
Indicator Removal: File Deletion
T1070.004
*MITRE currently does not list any mitigation guidance to combat this attack technique.
Discovery
Technique Title
ID
Recommendations
File and Directory Discovery
T1083
*MITRE currently does not list any mitigation guidance to combat this attack technique.
Ingress Tool Transfer
T1105
M1031: Network Intrusion Prevention
Collection
Technique Title
ID
Recommendations
Data from Local System
T1005
M1057: Data Loss Prevention
Command and Control
Technique Title
ID
Recommendations
Application Layer Protocol: Web Protocols
T1071.001
M1031: Network Intrusion Prevention
Encrypted Channel
T1573
M1031: Network Intrusion PreventionM1020: SSL/TLS Inspection
Exfiltration
Technique Title
ID
Recommendations
Exfiltration Over C2 Channel
T1041
M1057: Data Loss PreventionM1031: Network Intrusion Prevention
Protecting Against CVE-2025-15556
Proactive defense requires not only reactive patching of CVE-2025-15556, but also active threat hunting using the TTPs identified by Flashpoint analysts. Flashpoint recommends the following actions:
Immediate Update: Ensure all instances of Notepad ++ are updated to v8.9.1 or higher immediately. This version enforces the signature verification that was missing in previous releases.
Audit System Paths: Scan for malicious file paths used for persistence.
Network Defense: Monitor and block traffic to malicious domains.
Endpoint Hardening: Implement Behavior Prevention on Endpoints (M1040) and Audit (M1047) to detect unauthorized registry run keys or new system services.
Outpace Threat Actors Using Flashpoint
Software trust is only as strong as the infrastructure behind it. As organizations respond to these recent updates, having best-in-class vulnerability intelligence and direct visibility into threat actor TTPs is the best defense.
Leveraging Flashpoint vulnerability intelligence, organizations can move beyond CVE and NVD, by gaining deeper technical analysis and MITRE ATT&CK mapping to defend against sophisticated threat actors. Request a demo to learn more.
Begin your free trial today.
The post What to Know About the Notepad++ Supply-Chain Attack appeared first on Flashpoint.
*** This is a Security Bloggers Network syndicated blog from Threat Intelligence Blog | Flashpoint authored by Flashpoint. Read the original post at: https://flashpoint.io/blog/what-to-know-about-the-notepad-supply-chain-attack/
About Author
