The Notepad++ supply chain attack — unnoticed execution chains and new IoCs

This report details a targeted Notepad++ supply-chain attack (June–December 2025) in which attackers compromised the update infrastructure to push malicious NSIS installers that executed three distinct infection chains delivering Metasploit downloaders, Cobalt Strike Beacons, and the Chrysalis backdoor to dozens of targeted machines (including government and financial organizations); the document includes timelines, technical analysis of payloads and execution techniques (DLL sideloading, exploit-based execution, encrypted shellcode), and a comprehensive set of IoCs and hunting guidance.