Hackers Used Compromised Notepad++ Installer to Build Long-Running Malware Infrastructure, Researchers Say

On February 2, 2026, the maintainers of Notepad++ confirmed that their official distribution infrastructure had been compromised for several months in 2025, exposing users to a malicious installer for version 8.9.9.

Subsequent analysis by security firm Rapid7 linked the incident to an advanced threat campaign attributed to the Chinese APT group Lotus Blossom. This campaign used the compromise as an initial access vector to deploy a custom backdoor dubbed Chrysalis alongside commodity tools like Cobalt Strike. Although Rapid7 focused on the malware itself, scanning data from Censys reveals long-lived infrastructure associated with the campaign that can be used to track the actors and pivot to additional malicious hosts.

Chrysalis Infrastructure — Observed by Censys

The Censys data correlates multiple malicious hosts and services over time, tracking how infrastructure reappeared, rotated services, and reused TLS certificates. Below are the key hosts and their observed behavior:

95[.]179.213.0 — GUP.exe Distribution and Staging Host

This host appears to have served the malicious GUP.exe installer and exhibited a range of services over 2025–early 2026:

Feb 2025: SSH service (port 22) first seen — likely staging.
Apr 13, 2025: HTTP (port 8080) and OpenVPN (443) exposed with a TLS certificate issued to lazerpenguin[.]com (associated with a commercial VPN provider).
Apr 14, 2025: IKE service on UDP 500.
Aug 18, 2025: Returned with SSH 22 and HTTPS 443 using a Cloudflare-style origin cert for bechugh[.]top.
Aug 31, 2025: SSH and HTTP 8080 again, presenting the lazerpenguin[.]com certificate.
Oct 15, 2025: SSH and HTTP services observed.
Jan 08, 2026: HTTPS on 8082 with lazerpenguin[.]com cert.

This host’s repeated reappearance and certificate reuse suggest it functioned as a reusable staging asset rather than a single-purpose controller.

61[.]4.102.97 — Chrysalis C2 Endpoint

Serves as the command-and-control (C2) endpoint tied to api[.]skycloudcenter[.]com.
First observed Sep 04, 2025 presenting a TLS service on port 443 with a valid certificate tied to the domain.
On Oct 16, 2025, the TLS certificate was rotated but remained under the same issuer.

Due to limited service metadata, Censys could not clearly identify service type beyond the certificate, but this host’s certificate reuse across other addresses supports its role as a C2 infrastructure component.

160[.]250.93.48 — Chrysalis Pivot via Certificate Reuse

This host re-used the same Chrysalis C2 TLS certificate seen on 61[.]4.102.97.
Dec 03, 2025: Exposed RDP on a non-standard port (5633), then HTTPS on 443 using the same C2 certificate.
Dec 12, 2025: Services disappeared; Dec 23, 2025: SSH exposed; Jan 22, 2026: Host was offline.

While not confirmed as a C2 host, matching certificate evidence strongly links this host as a pivot within the campaign’s infrastructure.

Chrysalis Variants and Loader Infrastructure

Rapid7 identified multiple loader configurations similar to Chrysalis. Censys scan data sheds light on two of these variants:

Loader 1 — 59[.]110.7.32 (Cobalt Strike)

This host showed evolving malicious activity throughout 2025:

Mar 14, 2025: SSH only.
Mar 18, 2025: HTTP open directory with potential payloads.
May 07, 2025: Unknown TLS service on port 17777 presenting a Cobalt Strike-style certificate.
May 08, 2025: Cobalt Strike on port 8880 (no beacon retrieved but fingerprinted).
May 22, 2025: Cobalt Strike on port 80 with retrievable beacon.
Nov 03, 2025: Cobalt Strike on port 8999.

Loader 2 — 124[.]222.137.114

Another infrastructure variant linked to loader activity:

Feb 2025: Exposed a Java Chains exploit service on port 8011.
Mar 10, 2025: SSH.
Mar 20, 2025: MySQL service on port 13306.
Apr 18, 2025: LDAP service visible.
Jun 2025: Briefly exposed Cobalt Strike listeners on 9999 and 23333.
Oct 07, 2025: Returned with Asset Reconnaissance Lighthouse (ARL) on port 15003, indicating potential reuse or repurposing of infrastructure.

Timeline of Observed Infrastructure Events

A summarized timeline highlights how these malicious assets evolved over time:

Feb 2025: 124[.]222.137.114 exposed Java Chains; 95[.]179.213.0 SSH appears.
Apr 13–14, 2025: 95[.]179.213.0 presents HTTP/OpenVPN and IKE.
May 2025: 59[.]110.7.32 and partners show Cobalt Strike services and shared certificates across multiple hosts.
Aug 18–31, 2025: 95[.]179.213.0 alternates service types and certificates.
Sep 04, 2025: Chrysalis C2 (61[.]4.102.97) first seen.
Oct 07, 2025: ARL appears on 124[.]222.137.114.
Dec 03–12, 2025: 160[.]250.93.48 appears and disappears with RDP/HTTPS; SSH later.
Early 2026: 95[.]179.213.0 and 47[.]120.61.164 show additional reconnaissance and directory activity.

Key Indicators of Compromise (IOCs)

IPs:

95[.]179.213.0 (malicious GUP.exe & staging)
61[.]4.102.97 (Chrysalis C2), 160[.]250.93.48 (C2 certificate reuse)
59[.]110.7.32 (Loader 1, Cobalt Strike)
47[.]120.61.164, 152[.]136.165.180, 49[.]232.102.73 (Cobalt Strike pivots)
124[.]222.137.114 (Loader 2, Java Chains & ARL)

Certificates:

lazerpenguin[.]com (multiple variants)
Fake Cloudflare origin (bechugh[.]top)
Chrysalis C2 (skycloudcenter[.]com) and rotated certs
Cobalt Strike-style certificates and shared fingerprints across hosts

Conclusion

The malicious Notepad++ distribution incident was not isolated to a single downloadable payload. Instead, it was underpinned by a complex, evolving web of compromised and purpose-built infrastructure revealing:

Long-lived assets reused over months;
Certificate reuse patterns enabling pivoting and tracking;
Multiple command and control and loader frameworks (Chrysalis & Cobalt Strike variants).

Security teams and researchers can leverage these IOCs and service fingerprints to hunt for related malicious infrastructure and better understand how sophisticated adversary campaigns persist over time.