惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

TaoSecurity Blog
TaoSecurity Blog
L
LINUX DO - 最新话题
Help Net Security
Help Net Security
N
News | PayPal Newsroom
www.infosecurity-magazine.com
www.infosecurity-magazine.com
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
The Last Watchdog
The Last Watchdog
S
Security @ Cisco Blogs
W
WeLiveSecurity
C
CXSECURITY Database RSS Feed - CXSecurity.com
Webroot Blog
Webroot Blog
T
Troy Hunt's Blog
V
Vulnerabilities – Threatpost
Google Online Security Blog
Google Online Security Blog
N
News and Events Feed by Topic
T
Threat Research - Cisco Blogs
Security Archives - TechRepublic
Security Archives - TechRepublic
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
T
Tor Project blog
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
D
Darknet – Hacking Tools, Hacker News & Cyber Security
PCI Perspectives
PCI Perspectives
Google DeepMind News
Google DeepMind News
T
Tailwind CSS Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Apple Machine Learning Research
Apple Machine Learning Research
IT之家
IT之家
S
SegmentFault 最新的问题
J
Java Code Geeks
P
Privacy & Cybersecurity Law Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
博客园 - 【当耐特】
博客园_首页
H
Hacker News: Front Page
T
Threatpost
Jina AI
Jina AI
博客园 - Franky
月光博客
月光博客
L
LINUX DO - 热门话题
The Cloudflare Blog
H
Heimdal Security Blog
博客园 - 司徒正美
酷 壳 – CoolShell
酷 壳 – CoolShell
Cloudbric
Cloudbric
雷峰网
雷峰网
Hugging Face - Blog
Hugging Face - Blog
S
Secure Thoughts
T
Tenable Blog
I
Intezer
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻

Threat Intelligence Blog | Flashpoint

Understanding Illicit Ecosystems: How Dark Web Forums Structure Cybercrime AI, Trust, and the Future of Threat Intelligence Remus Stealer: A New, Not-So-New Infostealer America250 Fourth of July Threat Assessment Unmasking the Digital Trail: Essential Techniques for Vetting AI-Generated Content The Shift to Threat-Informed Prioritization: Operationalizing CISA BOD 26-04 Identity Is the New Attack Surface: How Infostealers Are Reshaping Enterprise Risk Understanding Illicit Ecosystems: Weaponizing Mainstream Apps and Social Infrastructure Connecting Vulnerability Intelligence to Real-World Exposure With Flashpoint EASM Understanding Illicit Ecosystems: XSS and the Current State of the Russian-Speaking Underground How to Align and Measure Threat Intelligence Operations: Flashpoint Priority Intelligence Requirements The Mini Shai-Hulud Worm and the New Era of CI/CD Exploitation Understanding Illicit Ecosystems: The Hybrid Threat of “The Com” AI Threat Report: How Artificial Intelligence Is Used Across Illicit Communities How Mergers and Acquisitions Expand Your Attack Surface Overnight The Evolution of the Geotag: How AI is Bridging the Gap in Location-Based OSINT Navigating the Threat Landscape of the 2026 FIFA World Cup Inside the 2026 Cyber Threat Landscape: Data-Driven Security Priorities Flashpoint MCP Server: Operationalizing Cyber Threat Data for Agentic AI Security Workflows 2026 Gartner® Magic Quadrant™ for Cyber Threat Intelligence: Key Takeaways for Security Leaders Escalation in the Middle East: Tracking “Operation Epic Fury” Across Military and Cyber Domains How to Build and Operationalize Priority Intelligence Requirements National Vulnerability Database (NVD) Shifts to Selective Enrichment as CVE Volume Surges Flashpoint Surpasses Cataloging 7,000 Known Exploited Vulnerabilities as Disclosure Volume Accelerates Why Intelligence Requirements Fall Flat and How to Fix Them with a Practical Priority Intelligence Requirements Framework The Phishing-as-a-Service Pipeline: How a Scalable Fraud Ecosystem Is Driving Global Attacks Tax Refund Fraud in 2026: How Threat Actors Exploit Identity, Verification, and Cash-Out Channels The Language of Emojis in Threat Intelligence: How Adversaries Signal, Obfuscate, and Coordinate Online What the NVD ‘Slowdown’ Means For You: How to Stay Ahead in Vulnerability Management Forrester Threat Intelligence Landscape: Key Takeaways for Security Leaders Connecting Threat Intelligence to Decision-Making: How Flashpoint Is Operationalizing Intelligence in 2026 Iran-Aligned Militias Signal Expanded Regional Risk Amid US–Israel–Iran Conflict Destructive Activity Targeting Stryker Highlights Emerging Supply Chain Risks Navigating 2026’s Converged Threats: Insights from Flashpoint’s Global Threat Intelligence Report Cyber Threat Intelligence Index: Q3 2023 Edition Beyond Hamas: Militant and Terrorist Groups Involved in the October 7 Attack on Israel The First 72 Hours of the Israel-Hamas War: Hamas and PIJ Activity on Telegram About Us Qakbot Takedown: A Brief Victory in the Fight Against Resilient Malware Unmasking the Attacker and Decoding Threat Actor Patterns The Flashpoint Firehose: 5 Questions With Michael Raypold, VP of Engineering The Seven Phases of a Ransomware Attack: A Step-by-Step Breakdown of the Attack Lifecycle Lost in Transition: A Timeline of Failed Successors to Breach and Raid Forums Days of Chaos: How OSINT Helps Us Understand the Putin-Prigozhin Schism Lessons From Clop: Combating Ransomware and Cyber Extortion Events How to Combat Check Fraud: Leveraging Intelligence to Prevent Financial Loss Beyond Gates and Alarms: The Scope and Impact of Physical Security Intelligence Why We Built Flashpoint Ignite: Unity, Power, and Performance The Risk-Reducing Power of Flashpoint Video Search Card Shop Threat Landscape: BidenCash Dumps 2.1M Stolen Credit Cards Flashpoint in 2023: A Note From Our CEO 5 Reasons Taiwan Is a Growing Source of US-China Tension Why We Acquired Echosec Systems: The OSINT Revolution Open Source Intelligence
What to Know About the Notepad++ Supply-Chain Attack
2026-02-26 · via Threat Intelligence Blog | Flashpoint

The cybersecurity community is still grappling with a sobering realization: one of the most ubiquitous tools in the developer’s toolkit, Notepad++, was hiding a critical vulnerability for over six months. Being so deeply embedded in daily workflows, many organizations did not realize they were vulnerable until a recent security update pulled back the curtain on a sophisticated Chinese state-sponsored campaign, dubbed “Lotus Blossom.”

Investigations have confirmed that the issue wasn’t just a coding error, it was a compromise at the hosting provider level. This means that for much of 2025, even organizations that followed best practices were still potentially open to backdoors from Chinese advanced persistent threat (APT) groups. Here is what you need to know to secure your environment.

Understanding the Notepad++ Vulnerability (CVE-2025-15556)

The vulnerability, tracked as CVE-2025-15556 (VulnDB ID: 430205), exploits a critical flaw in the Notepad++ updater component, WinGUP. In versions prior to the February 2026 patch, the updater failed to verify the file integrity signatures of downloaded installers.

By exploiting this lack of verification, threat actors are able to:

  • Intercept legitimate update requests originating from WinGUp servers
  • Redirect traffic to malicious servers via Man-in-the-Middle (MitM) attacks or DNS cache poisoning
  • Deliver trojanized executables (disguised as update.exe) that appeared to be legitimate software patches

Leveraging this vulnerability, attackers have gained a persistent presence in high-value sectors. According to reports from Kaspersky, the impact has spanned government and telecommunications, critical infrastructure, and financial services.

How CVE-2025-15556 Works

The state-sponsored Lotus Blossom campaign was executed in three attack chains, between July and October 2025. Each phase evolved to evade detection by changing file sizes, IP addresses, and delivery methods.

PhaseTimeline (2025)Execution MethodPayload
Chain #1July – August1MB NSIS installer (update.exe)Multi-stage attack launching a Cobalt Strike beacon via ProShow.exe.
Chain #2September140KB NSIS installer (update.exe)Rotated C2 URLs to maintain stealth while dropping a Cobalt Strike beacon.
Chain #3OctoberBackdoor DeploymentDropped BluetoothService.exe, log.DLL, and shellcode to establish the Chrysalis backdoor.

Mapping CVE-2025-15556 to MITRE ATT&CK

Flashpoint has mapped Lotus Blossom TTPs (tactics, tools, and procedures) to the MITRE ATT&CK framework. Flashpoint analysts have identified the following techniques:

Execution

Technique TitleIDRecommendations
User Execution: Malicious FileT1204.002M1040: Behavior Prevention on Endpoint
M1038: Execution Prevention
M1017: User Training
Native APIT1106M1040: Behavior Prevention on Endpoint
M1038: Execution Prevention
Command and Scripting Interpreter: Windows Command ShellT1059.003M1038: Execution Prevention

Persistence

Technique TitleIDRecommendations
Hijack Execution Flow: DLLT1574.002M1013: Application Developer Guidance
M1047: Audit
M1038: Execution Prevention
M1044: Restrict Library Loading
M1051: Update Software
Boot or Logon Autostart Execution: Registry Run Keys / Startup FolderT1547.001*MITRE currently does not list any mitigation guidance to combat this attack technique.
Create or Modify System Process: Windows ServiceT1543.003M1047: Audit
M1040: Behavior Prevention on Endpoint
M1045: Code Signing
M1028: Operating System Configuration
M1018: User Account Management

Defense Evasion

Technique TitleIDRecommendations
MasqueradingT1036M1049: Antivirus/Antimalware
M1047: Audit
M1040: Behavior Prevention on Endpoint
M1045: Code Signing
M1038: Execution Prevention
M1022: Restrict File and Directory Permissions
M1018: User Account Management
M1017: User Training
Obfuscated Files or InformationT1027M1049: Antivirus/Antimalware
M1047: Audit
M1040: Behavior Prevention on Endpoint
M1017: User Training
Obfuscated Files or Information: Dynamic API ResolutionT1027.007*MITRE currently does not list any mitigation guidance to combat this attack technique.
Deobfuscate/Decode Files or InformationT1140*MITRE currently does not list any mitigation guidance to combat this attack technique.
Process InjectionT1055M1040: Behavior Prevention on Endpoint
M1026: Privileged Account Management
Reflective Code LoadingT1620*MITRE currently does not list any mitigation guidance to combat this attack technique.
Execution Guardrails: Mutual ExclusionT1480.002M1055: Do Not Mitigate
Indicator Removal: File DeletionT1070.004*MITRE currently does not list any mitigation guidance to combat this attack technique.

Discovery

Technique TitleIDRecommendations
File and Directory DiscoveryT1083*MITRE currently does not list any mitigation guidance to combat this attack technique.
Ingress Tool TransferT1105M1031: Network Intrusion Prevention

Collection

Technique TitleIDRecommendations
Data from Local SystemT1005M1057: Data Loss Prevention

Command and Control

Technique TitleIDRecommendations
Application Layer Protocol: Web ProtocolsT1071.001M1031: Network Intrusion Prevention
Encrypted ChannelT1573M1031: Network Intrusion Prevention
M1020: SSL/TLS Inspection

Exfiltration

Technique TitleIDRecommendations
Exfiltration Over C2 ChannelT1041M1057: Data Loss Prevention
M1031: Network Intrusion Prevention

Protecting Against CVE-2025-15556

Proactive defense requires not only reactive patching of CVE-2025-15556, but also active threat hunting using the TTPs identified by Flashpoint analysts. Flashpoint recommends the following actions:

  1. Immediate Update: Ensure all instances of Notepad ++ are updated to v8.9.1 or higher immediately. This version enforces the signature verification that was missing in previous releases.
  2. Audit System Paths: Scan for malicious file paths used for persistence.
  3. Network Defense: Monitor and block traffic to malicious domains.
  4. Endpoint Hardening: Implement Behavior Prevention on Endpoints (M1040) and Audit (M1047) to detect unauthorized registry run keys or new system services.

Outpace Threat Actors Using Flashpoint

Software trust is only as strong as the infrastructure behind it. As organizations respond to these recent updates, having best-in-class vulnerability intelligence and direct visibility into threat actor TTPs is the best defense.

Leveraging Flashpoint vulnerability intelligence, organizations can move beyond CVE and NVD, by gaining deeper technical analysis and MITRE ATT&CK mapping to defend against sophisticated threat actors. Request a demo to learn more.