How they get in: Notepad++ updater turned delivery vehicle

Category: Espionage| Industry: Government, Telco, Aviation, Critical Infrastructure, Media| Source: Rapid7

The investigation began with a security incident stemming from the execution of a malicious file named update[.]exe, which was downloaded from a suspicious IP address (95.179.213[.]0) following the legitimate execution of notepad++[.]exe and GUP[.]exe (the generic updater for Notepad++)

Observed execution chain:

notepad++.exe  
  → GUP.exe (Notepad++ updater)  
     → update.exe (downloaded from 95.179.213.0)  
        → NSIS installer  
           → %AppData%\Bluetooth (hidden)  
              → BluetoothService.exe (renamed Bitdefender binary)  
                 → log.dll (malicious sideload)  
                    → decrypted Chrysalis shellcode  

The updater becomes the bridge from trusted binary → sideloaded DLL → in-memory backdoor.

Advanced Evasion Techniques:

C2 Traffic Masquerading
Communication occurs over HTTPS to api.skycloudcenter.com, with URL paths formatted like /a/chat/s/{GUID} — intentionally mimicking legitimate AI/Deepseek-style API traffic to blend into normal web activity.

Custom Encryption Routine
Instead of using standard Windows cryptographic APIs, Chrysalis uses its own linear congruential generator (LCG) to decrypt payloads. This avoids common crypto patterns that automated tools typically flag.

API Hashing for Stealth
Windows APIs are not referenced directly. Instead, the malware resolves them using a custom hashing method (FNV-1a + MurmurHash-style finalization). This makes static analysis and signature-based detection much harder.

Multi-Command Modular Design (16 Switch Cases)
Chrysalis supports 16 operator-controlled commands, enabling flexible post-exploitation without redeploying new malware.

Detection priority themes

When mapping this campaign into the Anvilogic platform, we recommend prioritizing the following detection stages that track the full chain:

Stage 1: GUP.exe Anomalies (Initial Execution Drift)

Focus on:

• gup.exe making DNS queries to non-legitimate update domains
• Network connections outside:
  • notepad-plus-plus.org
  • github.com
  • *.sourceforge.net
  • *.githubusercontent.com
  • *.googleapis.com
• gup.exe spawning suspicious children:
  • cmd.exe
  • powershell.exe
  • mshta.exe
  • wscript.exe
  • rundll32.exe
  • certutil, bitsadmin, curl, etc.

If your updater suddenly develops post-exploitation hobbies, that’s your moment.

Covered by:

AVL_UC137426 (Suspicious Child Processes)

DNS anomaly logic (custom macro filtering legit domains) also couldn't hurt.

Stage 2: Suspicious File Drops & Hidden Payload Staging

Watch for:

• gup.exe creating executables outside:
  • C:\Program Files\Notepad++\
  • C:\Program Files (x86)\Notepad++\
• Hidden directories in:
  • %AppData%\Bluetooth
• Temp installer pattern deviations:
  • Exclude normal npp.*.Installer.*.exe
  • Flag other executable drops

The attacker leverages NSIS to stage payloads quietly, then pivots into DLL sideloading.

Covered by:

• AVL_UC137427 (Uncommon File Creation by GUP.exe)

Stage 3: Persistence & Backdoor Activation

Chrysalis execution paths are controlled by command-line flags:

• No args: installs persistence (service, fallback Run key) pointing to binary with -i, then exits
• -i: relaunches itself with -k via ShellExecuteA, then exits
• -k: executes core malicious logic (C2 + command processing)
  
  
• C2: https://api.skycloudcenter.com/a/chat/s/{GUID} — structure mirrors Deepseek-style chat endpoints to blend into “legit” API-looking traffic.
  

Covered by:

• AVL_UC137453 Backdoor C2 Chysalis Domain IOC

Additional behaviors:

• Mutex: Global\\Jdhfv_1.0.1 (single instance)
• Host fingerprinting → RC4-encrypted beaconing over HTTPS (WinInet / HttpSendRequestA)

Threat scenario:

We’ve chained these detections into a single threat scenario to cover the two stages observed in the attack’s real-world execution.

Scenario: Chrysalis Backdoor via Notepad++ Update Hijacking

‍