This incident is a reminder that many “breaches” never begin with a firewall failure or a zero-day. They begin with trust.
When a widely used tool’s update path is compromised, attackers can deliver malware inside your trust boundary, where defenses are designed to allow normal software to run. That is the core risk behind the Notepad++ compromise and the Chrysalis backdoor tied to the Lotus Blossom threat group.
What Happened
Between mid-2025 and late-2025, attackers compromised infrastructure associated with Notepad++ updates and selectively delivered a malicious payload to targeted users. Security reporting has linked this activity to Lotus Blossom, and Rapid7 describes the delivered backdoor as Chrysalis.
This is not alarming because it introduces a brand-new technique. It is alarming because it uses known, reliable tradecraft in places most environments treat as “safe enough.”
Why This Matters
Most environments design controls around the idea that threats arrive as something obviously suspicious: an untrusted download, a known malicious attachment, an unexpected process, or a clear exploit chain.
Supply chain compromise flips that model.
If the installer or updater is trusted, the malware often lands with fewer obstacles and fewer alerts. It does not have to “break in” after execution. It starts from inside the fence, where many controls are permissive by design.
That is why these events should change how leadership thinks about “software risk,” especially for commonly used utilities that may not be tracked like enterprise applications.
How Chrysalis works, and why it blends in
Rapid7’s analysis ties Chrysalis to a chain that is intentionally quiet and operationally disciplined.
1) It Rides a Trusted Delivery Path
When an update mechanism is abused, defenders lose the benefit of “suspicious origin.” The payload can arrive where a legitimate installer is expected to arrive, run where it is expected to run, and inherit a degree of implicit trust.
2) It Executes Through DLL Sideloading
Instead of triggering an exploit, Chrysalis relies on a Windows behavior defenders see every day: DLL loading.
A legitimate executable is placed beside a malicious DLL that shares the name of a dependency the executable expects. When the program starts, Windows resolves the dependency using normal search order and loads the malicious DLL automatically. No exploit. No crash. No dramatic event. The system behaves exactly as designed.
Why DLL Sideloading is so Effective
Executables are explicit: they are launched, logged, and often scrutinized. DLLs are designed to be loaded by other processes and they often inherit the identity and reputation of the process that loads them. In practice, that means a trusted process can “carry” malicious code without looking unusual in basic telemetry.
3) The process tree stays clean
One reason this type of intrusion is dangerous is that monitoring teams frequently rely on obvious indicators: weird parent-child relationships, strange command lines, and anomalous process spawns.
With DLL sideloading, the process tree can look normal: a known executable starts and loads its dependencies. There may be no suspicious child process, no strange script runner, and no “classic malware” shape for analysts to escalate quickly.
4) It minimizes disk artifacts with in-memory behavior
Chrysalis is described as operating largely in memory and functioning as a loader and backdoor. That means fewer file artifacts for traditional static detection and fewer breadcrumbs during post-incident response.
5) It enables quiet recon and staged follow-on actions
The backdoor capability supports reconnaissance and tasking through attacker-controlled infrastructure. It can collect system information and load additional code on demand, keeping activity targeted rather than noisy.
6) Persistence is “boring on purpose”
A mature operator does not want attention. Persistence mechanisms that blend into normal system behavior are often chosen for durability and low visibility. Chrysalis is designed to remain present quietly, not to announce itself.
The real lesson: defenders lose when trust is assumed
Chrysalis is effective because it abuses trust end-to-end:
- Trusted software delivery
- Trusted binaries
- Trusted execution paths
- Trusted loading behaviors
- Trusted persistence patterns
The absence of alerts is not an accident. It is a design goal.
This is why “we patch” and “we have antivirus” are not complete answers. Mature defense is built around validation, monitoring, and response—especially in the gray areas where “normal” behavior can be weaponized.
What BTI Recommends You Do Now
This is the practical side. The objective is not panic. It is control and verification.
1) Inventory Notepad++ and similar utilities in your environment
Identify where Notepad++ exists, how it was deployed, and which update mechanism was used. Many organizations have these tools installed outside formal software management workflows.
2) Validate application control with a DLL-aware mindset
Many allow-listing and application control strategies focus heavily on executables while implicitly trusting what those executables load. For threats like Chrysalis, that gap matters.
3) Hunt with known indicators and behaviors
Use threat intelligence guidance (Rapid7 and other sources) to search for indicators tied to Chrysalis and the Notepad++ compromise, and validate telemetry coverage to ensure you would see similar behavior in the future.
4) Reduce update-chain risk for non-enterprise software
For tools not managed through enterprise software distribution, enforce stronger controls:
- Restrict who can install and update software
- Limit admin rights on endpoints
- Review code-signing validation where possible
- Standardize update sources through controlled channels
5) Confirm you can detect “quiet” compromise
If your detections rely mainly on “malware-looking malware,” assume you are blind to a portion of modern intrusions. Ensure you have:
- Strong endpoint telemetry
- Centralized log collection
- Actionable alert triage and response workflows
- The ability to investigate trusted-process anomalies
How BTI helps reduce supply chain and endpoint risk
BTI’s model is built around measurable controls and operational follow-through, not tool sprawl.
Depending on your environment and compliance requirements, BTI can help with:
- Endpoint hardening and least privilege enforcement
- Managed detection and response with proactive threat hunting
- Centralized logging and correlation to see trusted-process anomalies
- Software inventory and lifecycle controls
- Incident response readiness and containment playbooks
- Validation that “controls are enforced and provable,” not just installed
If you want a quick reality check, BTI can start with an assessment focused on:
- Software inventory and deployment paths
- Endpoint control posture (including application control assumptions)
- Visibility gaps in telemetry and response workflows
Bottom line
Chrysalis did not “win” by being loud or exotic. It won by behaving like something defenders are trained to accept.
This is the moment to tighten your trust assumptions, validate what your controls actually observe, and ensure your organization can respond when compromise looks like business-as-usual.
References
- Rapid7: Chrysalis backdoor deep dive and attribution to Lotus Blossom (Rapid7)
- Reuters: Notepad++ supply chain compromise reporting and campaign timeline (Reuters)
- Help Net Security: summary of the attack, targets, and indicators (Help Net Security)
- Kaspersky Securelist: Notepad++ supply chain attack chain details and IOCs (Securelist)
- The Hacker News: reporting on Lotus Blossom / Notepad++ hosting breach and Chrysalis (The Hacker News)
If Notepad++ Lives Anywhere in Your Environment, This Deserves Attention.
Many organizations don’t know where common utilities are installed, how they’re updated, or what those update paths can expose. Chrysalis shows why that matters.
BTI helps organizations move from assumed trust to provable controls through visibility, validation, and operational response.
