Trusted Design

Nation-State Actors Exploit Notepad++ Supply Chain

概要

Between June and December 2025, state-sponsored threat group Lotus Blossom compromised the hosting infrastructure for Notepad++, allowing them to intercept and redirect update traffic. This enabled selective targeting of users primarily in Southeast Asian government, telecommunications and critical infrastructure sectors. Two infection chains were identified - one using Lua script injection to deliver Cobalt Strike and another using DLL side-loading for a Chrysalis backdoor. The campaign affected additional sectors across South America, US, Europe and Southeast Asia including cloud hosting, energy, financial, government, manufacturing and software development. The attack exploited insufficient verification in older versions of the Notepad++ updater to serve malicious installers to targeted victims.

Created: 2026-03-14

Indicators

• FileHash-MD5 - aa36d1c28e143f963b8f7ed98582ee4f -
• FileHash-SHA256 - a511be5164dc1122fb5a7daa3eef9467e43d8458425b15a640235796006590c9 -
• FileHash-SHA256 - 71431fa7b66f8132453e18e3a5f8ef0af3ca079a7793f828df06fdb5d7bd915d -
• FileHash-SHA1 - e7e72971c5de989dcbd7246fc98b3b3a43983a5e -
• FileHash-SHA1 - e7b577a487ccf2ca1e7697a08a525e7197a7e238 -
• URL - http://45.76.155.202/update/update.exe -
• FileHash-SHA1 - 1c83ace9b078597beba0369ef2801503c36fd37c -
• FileHash-MD5 - ae6fbf9566dc352644613f17043cd9e9 -
• FileHash-SHA256 - 05abc57952974d08feafa399d6fdb37945a3fd0a10f37833dd837a5788e421d5 -
• FileHash-MD5 - b8f9aa523ab6d92ff4fa785d649234bf -
• FileHash-MD5 - e70adea04a3d0792aeca14426e3fa663 -
• FileHash-SHA256 - a19aa1cd7ecb9ca3f1fd0e118fffd0d673fba404ced8c39c2e210a63b70f9c15 -
• FileHash-SHA256 - 8117c82a3821965d92ee3f9f3ae10efcd602bd4b6e52a2fe957d70aafe479744 -
• FileHash-MD5 - 92580701bb44921383f1b7973824fab9 -
• FileHash-SHA1 - eaf46c1cff17458b28bfd2fef41045de0bdbf4c3 -
• FileHash-MD5 - ebfb90b0f9404b7c92bb968341c9a8cb -
• FileHash-SHA256 - a3cf1c86731703043b3614e085b9c8c224d4125370f420ad031ad63c14d6c3ec -
• URL - http://45.32.144.255/update/update.exe -
• FileHash-SHA1 - daa56d1ae132105732db51a692927bb8ebee7495 -
• FileHash-SHA1 - 1f178a63a87dcb339174e2cd22cf559ddbe72c24 -
• FileHash-SHA256 - 1f6d28370f4c2b13f3967b38f67f77eee7f5fba9e7743b6c66a8feb18ae8f33e -
• FileHash-SHA1 - 242eebb5cb52a4f8c32f6295a687889445cc9da7 -
• FileHash-SHA256 - 7094a07167648628e47249a16d9d6db922e5aa1255ac4322a2e4900d233372dd -
• URL - http://95.179.213.0/update/AutoUpdater.exe -
• URL - http://95.179.213.0/update/Upgrade.exe -
• FileHash-SHA256 - 32aa12d3c9521477a5a1e086e400ec0f77f8a97a8190806a0f1953688b883cfb -
• FileHash-SHA1 - 2c587cf2f79d12d40bdd5d910b7e5f4d7fbb690a -
• FileHash-SHA256 - 49d2531893b09cb6a8e3429ca0a734e871a2d96fa2575c0eec3229d383fa233a -
• FileHash-MD5 - 869b85d8004b64fbef4d4ae9d4b20f00 -
• FileHash-SHA256 - 61c3077b989e272117167c90fc35e7f06bea4f992f3395b40ccee083d7258082 -
• FileHash-SHA256 - e1df78704001bba1a3d343f62a1242a4484ff6ad269170714263c03b802eb0b1 -
• FileHash-MD5 - 2080584340e914d6466917c0c1b97e19 -
• FileHash-MD5 - 23e52d35b0a744b06b8f27e5350a96cb -
• FileHash-SHA1 - d7ffd7b588880cf61b603346a3557e7cce648c93 -
• FileHash-SHA1 - 458b7557f3f10fcbec46558d306f4e95ede8531a -
• FileHash-SHA256 - 2dd5473736ef51e4340cae005e3fc8cdf0e42ec649bc6ed186484a79be409928 -
• FileHash-MD5 - 363dad6a0cbf5784837ea99b6a9004c6 -
• FileHash-MD5 - 391286de28124839623d788eef201ac9 -
• FileHash-SHA1 - d2a6f306a9c4de523bf223466e860f7a8063677f -

類似Pulses

類似するPulseは見つかりませんでした。

このPulseに関連する脅威アクター (事実ベース)

このPulseに関連する脅威アクター (推論ベース)

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクター グラフ

---

← Pulse一覧に戻る