Notepad++ Update Hijack: When Your Text Editor Writes Back

If you are reading this, there is a statistically significant chance you have Notepad++ installed. It's the 'Hello World' of developer tools—installed on millions of machines, often with administrative privileges, and trusted implicitly by firewall rules and users alike. That trust is exactly what makes it the perfect target for a supply chain attack.

Here is the grim reality: for a long time, the update mechanism for this ubiquitous tool was essentially operating on the honor system. The component responsible for fetching updates, GUP.exe (WinGUp), is a generic updater used by several open-source projects. Its job is simple: download an XML file, parse the URL for the new installer, download the binary, and run it.

But simplicity is the enemy of security. While the connection might have been over HTTPS (protecting the pipe), the payload itself was never interrogated. The updater didn't check who signed the binary, or if it was signed at all. It just grabbed whatever the server offered and executed it. When the Lotus Blossom APT compromised the hosting provider for notepad-plus-plus.org, they didn't need to break encryption or find a 0-day in Windows. They just had to swap a file.

The vulnerability is classified as CWE-494: Download of Code Without Integrity Check, but let's call it what it is: Blind Faith. The architecture of the flaw is a classic case of confusing transport security with content security.

The logic flow of the vulnerable GUP.exe was effectively:

1. Fetch update.xml.
2. Parse <Location> tag.
3. HTTP GET the executable.
4. ShellExecute the executable.

There was no step 3.5. There was no hash check against a trusted manifest (because the manifest itself wasn't signed), and there was no Authenticode signature verification on the downloaded binary. This meant that if an attacker could control the server response—either via Man-in-the-Middle (MitM) or, in this case, by compromising the server directly—they owned the client.

This is distinct from a buffer overflow or a use-after-free. The code worked exactly as written; it was just written with the naive assumption that the server is immutable and benevolent. In the modern threat landscape, assuming your infrastructure is unhackable is a fatal architectural error.

The fix required a fundamental change in how WinGUp handles trust. It wasn't enough to just check if a file is signed; anyone can sign a binary with a self-signed cert. The updater needed to verify that the binary was signed specifically by the Notepad++ developers.

In the patch (Commit ce0037549995ed0396cc363544d14b3425614fdb), the Generic Updater was overhauled to utilize the Windows WinVerifyTrust API. It introduced a suite of new command-line flags to enforce strict pinning.

Here is the logic added to the main Notepad++ application (Commit bcf2aa68ef414338d717e20e059459570ed6c5ab) to invoke the hardened updater:

// The new 'SecurityGuard' class retrieves the expected signer details
SecurityGuard sgd;
 
// Constructing the command line for GUP.exe
// Before: effectively just "-update"
// After: Paranoid Mode engaged
param += L" -chkCertSig=yes";              // MUST be signed
param += L" -chkCertRevoc";                // Check CRL/OCSP
param += L" -chkCertTrustChain";           // Validate the CA chain
param += L" -chkCertName=" + sgd.signer_display_name(); // Pin the Subject Name
param += L" -chkCertAuthorityKeyId=" + sgd.authority_key_id(); // Pin the Issuer

> [!NOTE] > Certificate Pinning is Key:
> Simply checking WinVerifyTrust isn't enough. An attacker could buy a valid cert from a shady CA. The parameters -chkCertName and -chkCertAuthorityKeyId ensure that the certificate actually belongs to the Notepad++ project, effectively killing the attack path unless the attacker steals the private signing key itself.

This wasn't a theoretical research paper; this was an active campaign. The Lotus Blossom APT (a suspected state-sponsored group) managed to compromise the shared hosting provider used by Notepad++. They didn't hit everyone; they used a surgical redirection script to target specific IP ranges, keeping the noise low.

When a victim opened Notepad++ and the "Update Available" dialog popped up, they clicked "Yes" because they are good security citizens who patch their software. The updater downloaded what looked like npp.8.6.9.Installer.x64.exe.

The Payload: Chrysalis The dropped binary wasn't Notepad++. It was a sophisticated loader chain designed to evade EDR:

1. Legitimate Binary Abuse: The installer dropped a renamed executable BluetoothService.exe. This was actually a legitimate, signed binary from Bitdefender (Submission Wizard).
2. DLL Side-Loading: Because the Bitdefender binary was vulnerable to DLL search order hijacking, it automatically loaded a malicious log.dll placed in the same folder by the attacker.
3. Decryption & Execution: log.dll used a custom linear congruential generator (magic constants 0x19660D and 0x3C6EF35F) to decrypt shellcode in memory, launching the Chrysalis backdoor.

This technique is devious because the process initiating the network connection is a signed security tool (the hijacked Bitdefender binary), often whitelisted by other security products.

The impact of CVE-2025-15556 is effectively Arbitrary Code Execution (ACE) with the privileges of the user running Notepad++. Since developers often run their editors as Administrator (to edit config files, hosts files, etc.), this frequently translates to full system compromise.

The Chrysalis backdoor provided the attackers with:

• Remote Command Execution: Shell access to the host.
• Data Exfiltration: Stealing source code, SSH keys, AWS credentials, and environment variables.
• Persistence: Establishing scheduled tasks or registry run keys to survive reboots.

Because this is a supply chain attack, the "Patient Zero" is often inside the secure zone. You didn't click a phishing link; you updated your trusted tools. This bypasses the human layer of defense entirely.

The remediation is straightforward but urgent: Update to Notepad++ 8.8.9 or later. This version includes the patched GUP.exe and the necessary logic to enforce signature verification.

For enterprise environments, detection is critical since the attack happened before the patch was available. Security teams should hunt for:

• Processes: BluetoothService.exe running outside of a Bitdefender directory.
• Files: log.dll appearing in temp folders or alongside the Notepad++ executable.
• Network: Connections to unknown IPs initiated by GUP.exe or notepad++.exe.

Going forward, the Notepad++ team has also implemented checks for the XML metadata itself (XMLDSig) in version 8.9.2, closing the loop on the manifest manipulation vector. The lesson here is painful but clear: If you are downloading code from the internet, cryptography is not an optional feature—it is a requirement.