China-Linked Lotus Blossom Breaches Notepad++ Hosting
In a concerning escalation of supply chain attacks targeting open-source software, the popular text editor Notepad++ has been compromised by a China-linked threat actor known as Lotus Blossom. This breach, attributed with medium confidence by cybersecurity firm Rapid7, allowed attackers to hijack update traffic and deliver a sophisticated backdoor dubbed Chrysalis to unsuspecting users. The incident, which began in June 2025, underscores the growing risks to developer tools and the vulnerabilities in software distribution pipelines.
The Breach Unfolds: From Hosting Compromise to Malicious Updates
Notepad++, a staple for developers worldwide with its lightweight design and plugin ecosystem, relies on a hosting provider for distributing updates. According to Notepad++ maintainer Don Ho, the compromise occurred at the hosting level, enabling attackers to selectively redirect update requests from targeted users to malicious servers. This redirection exploited weak verification controls in older versions of the software, serving tampered installers instead of legitimate ones.
The attack persisted until December 2, 2025, when the intruder's access was severed. In response, Notepad++ swiftly migrated to a new hosting provider with enhanced security measures and rotated all credentials. The fix arrived with version 8.8.9 in December 2025, which addressed the verification flaws. Rapid7's investigation confirmed no exploitation of the site's plugin or updater mechanisms beyond the hosting breach, focusing instead on the execution chain triggered by running the compromised 'notepad++.exe'.
Security researcher Ivan Feigl from Rapid7 detailed the infection vector: Launching the editor would execute 'GUP.exe' (the updater), which then downloaded and ran a suspicious 'update.exe' from the IP 95.179.213.0. This file, an NSIS installer, unpacked several malicious components, marking a classic case of supply chain tampering.
Technical Breakdown of the Chrysalis Backdoor
At the heart of the attack lies Chrysalis, a previously undocumented implant showcasing advanced tradecraft. The NSIS package included:
- BluetoothService.exe: A renamed Bitdefender Submission Wizard executable used for DLL side-loading, a technique favored by Chinese hacking groups to evade detection.
- BluetoothService: Encrypted shellcode representing the core of Chrysalis.
- log.dll: A malicious DLL that decrypts and executes the shellcode upon sideloading.
Once active, Chrysalis collects system information and beacons to a command-and-control (C2) server at 'api.skycloudcenter[.]com', which is now offline. However, analysis reveals its robust capabilities: processing HTTP responses to launch an interactive shell, spawn processes, handle file operations, upload/download data, and even self-uninstall for cleanup.
Rapid7 noted the malware's evolution, describing it as 'actively developed over time.' A file named 'conf.c' embeds a custom loader to fetch a Cobalt Strike beacon, incorporating Metasploit block API shellcode. Notably, one loader, 'ConsoleApplication2.exe', abuses Microsoft Warbird—an undocumented obfuscation framework—to execute shellcode stealthily. This adaptation stems from a proof-of-concept published by German firm Cirosec in September 2024, which the attackers modified for their purposes.
Attribution to Lotus Blossom: Tactics and Evolution
Rapid7 attributes the operation to Lotus Blossom (also tracked as Billbug, Bronze Elgin, Lotus Panda, Raspberry Typhoon, Spring Dragon, and Thrip) based on overlaps with prior campaigns. A Symantec report from April 2025 highlighted similar use of legitimate tools from Trend Micro and Bitdefender for DLL side-loading. Lotus Blossom's playbook blends proven methods like service persistence with innovations, such as multi-layered shellcode loaders and undocumented system calls like NtQuerySystemInformation.
The group's agility stands out: Integrating custom malware like Chrysalis with commodity tools (Metasploit, Cobalt Strike) and repurposing public research on Microsoft Warbird. This hybrid approach enhances resilience against detection, reflecting a shift toward stealthier operations in state-sponsored cyber espionage.
Kaspersky's Observations on Infection Chains
Complementing Rapid7's findings, Kaspersky identified three distinct infection chains in the Notepad++ campaign. These variations likely aimed to maximize reach while minimizing exposure, adapting to different user environments. Kaspersky's breakdown emphasizes the attackers' precision in targeting, possibly focusing on sectors of interest to Chinese intelligence, such as technology and government entities in the US and allied regions.
Implications for Open-Source Security and User Protection
This breach highlights the fragility of open-source ecosystems, where trust in updates is paramount. Notepad++, with millions of users, serves as a gateway for broader attacks if compromised. The selective redirection suggests espionage motives over mass distribution, aligning with Lotus Blossom's history of intellectual property theft and surveillance.
For users, immediate actions include updating to version 8.8.9 or later and scanning systems with reputable antivirus tools. Developers should prioritize code signing, multi-factor authentication for hosting, and robust update verification. The incident also calls for greater scrutiny of supply chains, echoing warnings from bodies like CISA about nation-state threats to software infrastructure.
Experts warn that as attackers evolve, defenses must keep pace. 'Lotus Blossom's integration of public PoCs and undocumented features shows they're not just persistent—they're innovative,' Rapid7 stated. This attack serves as a wake-up call for the tech community to fortify digital supply lines against sophisticated adversaries.
Broader Context: Rising State-Sponsored Threats
In the US, where Notepad++ enjoys widespread adoption among developers, this breach amplifies concerns over China-linked cyber operations. Amid escalating US-China tensions, incidents like this fuel debates on software provenance and international cybersecurity norms. As open-source tools underpin critical infrastructure, protecting them is no longer optional—it's essential.
Stay vigilant: Monitor official Notepad++ channels for updates, and consider endpoint detection solutions attuned to DLL side-loading and anomalous network activity. The cybersecurity landscape is more perilous than ever, but informed awareness can mitigate risks.
