Notepad++ Hosting Breach Linked to China's Lotus Blossom Group

A sophisticated supply chain attack has compromised the infrastructure hosting Notepad++, the popular open-source text editor, with researchers attributing the breach to the China-linked threat actor known as Lotus Blossom. The attack, which occurred between June and December 2025, enabled the delivery of a previously undocumented backdoor called Chrysalis to select users through tampered update mechanisms.

The Attack Timeline

The compromise began in June 2025 when threat actors gained access to Notepad++'s hosting provider infrastructure. According to Notepad++ maintainer Don Ho, the attackers exploited insufficient update verification controls in older versions of the software to hijack update traffic and redirect certain users to malicious servers.

The vulnerability was addressed in December 2025 with the release of version 8.8.9, but the attackers maintained access until December 2, 2025, when their access was terminated. Notepad++ has since migrated to a new hosting provider with enhanced security measures and rotated all credentials.

The Chrysalis Backdoor

Rapid7's investigation revealed that the attack involved a sophisticated multi-stage payload. When executed, the legitimate Notepad++ binary (notepad++.exe) and its updater (GUP.exe) preceded the execution of a suspicious process called update.exe, which was downloaded from the IP address 95.179.213.0.

This update.exe file is a Nullsoft Scriptable Install System (NSIS) installer containing several components:

• An NSIS installation script
• BluetoothService.exe - a renamed version of Bitdefender Submission Wizard used for DLL side-loading
• BluetoothService - encrypted shellcode (the Chrysalis implant)
• log.dll - a malicious DLL sideloaded to decrypt and execute the shellcode

Chrysalis is described as a "bespoke, feature-rich implant" capable of gathering system information and communicating with an external command-and-control server at api.skycloudcenter[.]com. While this C2 server is currently offline, analysis shows the malware can process HTTP responses to spawn interactive shells, create processes, perform file operations, upload/download files, and uninstall itself.

Attribution to Lotus Blossom

Rapid7 attributed the attack to Lotus Blossom (also known as Billbug, Bronze Elgin, Raspberry Typhoon, Spring Dragon, and Thrip) based on several technical similarities with previous campaigns attributed to this group. The attribution carries "medium confidence" but is supported by the use of proven techniques including DLL side-loading and service persistence.

What makes this campaign particularly noteworthy is the combination of custom malware with commodity frameworks. The attackers deployed Chrysalis alongside tools like Metasploit and Cobalt Strike, demonstrating a sophisticated approach that blends custom development with established penetration testing frameworks.

Advanced Obfuscation Techniques

One of the most interesting aspects of the attack is the use of Microsoft Warbird, an undocumented internal code protection and obfuscation framework. The attackers used Warbird to execute shellcode, making the malware more difficult to detect and analyze.

Additionally, researchers discovered a file named conf.c designed to retrieve a Cobalt Strike beacon using a custom loader that embeds Metasploit block API shellcode. This demonstrates the attackers' willingness to combine multiple attack methodologies and frameworks.

The threat actors also copied and modified existing proof-of-concept code published by German cybersecurity company Cirosec in September 2024, specifically the abuse of Microsoft Warbird. This shows their ability to rapidly adapt public research for malicious purposes.

Technical Sophistication and Evolution

Rapid7 noted that while Lotus Blossom continues to rely on proven techniques like DLL side-loading and service persistence, their use of a multi-layered shellcode loader and integration of undocumented system calls (specifically NtQuerySystemInformation) represents a clear shift toward more resilient and stealthy tradecraft.

"What stands out is the mix of tools: the deployment of custom malware (Chrysalis) alongside commodity frameworks like Metasploit and Cobalt Strike, together with the rapid adaptation of public research," Rapid7 stated. "This demonstrates that Billbug is actively updating its playbook to stay ahead of modern detection."

The use of legitimate executables from Trend Micro and Bitdefender for DLL side-loading is consistent with previous Lotus Blossom campaigns documented by Symantec in April 2025, further supporting the attribution.

Implications for Open Source Security

This attack highlights the ongoing risks to open-source software supply chains and the sophisticated nature of state-sponsored cyber operations. The ability of attackers to compromise hosting infrastructure and selectively target users demonstrates the need for robust security measures throughout the software development and distribution lifecycle.

For Notepad++ users, the incident underscores the importance of keeping software updated to the latest versions, as the vulnerability was only present in older versions of the utility. The swift response by the Notepad++ team in addressing the issue and migrating to more secure infrastructure demonstrates the importance of rapid incident response in the open-source community.

The attack also serves as a reminder that even well-established, widely-used open-source projects can become targets for sophisticated threat actors, particularly when they have a large user base that could be of interest to state-sponsored groups.

Moving Forward

As cyber threats continue to evolve in sophistication, the Notepad++ incident serves as a case study in how state-sponsored groups are combining custom malware development with established frameworks and techniques to create more resilient and stealthy attacks. The use of undocumented system calls, advanced obfuscation techniques, and the rapid adaptation of public research all point to a threat actor that is actively evolving its capabilities to evade detection.

For the broader cybersecurity community, this incident reinforces the need for continued vigilance, robust supply chain security measures, and the importance of threat intelligence in identifying and attributing sophisticated attacks. As Lotus Blossom and similar groups continue to refine their techniques, defenders must remain equally adaptive in their approaches to detection and mitigation.