Malicious Notepad++ Network Infrastructure

**Executive summary:** This Censys analysis maps network-level artifacts, TLS certificate pivots, and host timelines tied to the Chrysalis backdoor campaign—linked by Rapid7 to the Lotus Blossom APT and a Notepad++ supply-chain compromise—documenting Cobalt Strike listeners, loader hashes, multiple IPs and certificates, and a timeline of activity from early 2025 through early 2026.