Notepad++ infrastructure hack likely tied to China-nexus APT Lotus Blossom

Rapid7 researchers say the Notepad++ hosting breach is likely linked to the China-nexus Lotus Blossom APT group.

Recently, the Notepad++ maintainer revealed that nation-state hackers compromised the hosting provider’s infrastructure, redirecting update traffic to malicious servers. The attack did not exploit flaws in Notepad++ code but intercepted updates before they reached users.

“According to the analysis provided by the security experts, the attack involved infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org.” reads the advisory published by the software maintainers. “The exact technical mechanism remains under investigation, though the compromise occured at the hosting provider level rather than through vulnerabilities in Notepad++ code itself. Traffic from certain targeted users was selectively redirected to attacker-controlled served malicious update manifests.”

The incident began in June 2025 and was linked by multiple researchers to a likely Chinese state-sponsored group, based on its highly selective targeting. Attackers compromised a shared hosting server until September 2, 2025, and later used stolen internal credentials to redirect Notepad++ update traffic to malicious servers until December 2.

The hosting provider moved all affected customers to a new server, fixed the vulnerabilities that were abused, and rotated all credentials that may have been exposed.

After completing these actions, the provider reviewed system logs and confirmed there was no evidence of continued attacker access or malicious activity.

The security expert found the attack ended on November 10, 2025, while the hosting provider reported possible attacker access until December 2. Combining both assessments, the compromise likely lasted from June to December 2, 2025.

Rapid7 Labs and its MDR team uncovered a sophisticated campaign tied to the China-linked APT Lotus Blossom. Active since 2009, the group runs targeted espionage against government, telecom, aviation, critical infrastructure, and media organizations, mainly in Southeast Asia and Central America. The investigation traced a compromise of Notepad++ hosting infrastructure used to deploy a new custom backdoor, dubbed Chrysalis, along with stealthy loaders that abuse Microsoft Warbird to conceal malicious code execution.

“Our investigation identified a security incident stemming from a sophisticated compromise of the infrastructure hosting Notepad++, which was subsequently used to deliver a previously undocumented custom backdoor, which we have dubbed Chrysalis.” reads the report published by Rapid7.

Rapid7’s MDR team traced the initial access to abuse of Notepad++ distribution infrastructure. Investigators saw notepad++.exe and GUP.exe run first, followed by a suspicious update.exe downloaded from an external IP. That file turned out to be an NSIS installer, a delivery method often used by Chinese APT groups. It dropped files into a hidden AppData folder and abused DLL sideloading through a renamed Bitdefender binary to decrypt and launch a custom backdoor called Chrysalis.

“Shortly after the execution of BluetoothService.exe, which is actually a renamed legitimate Bitdefender Submission Wizard abused for DLL sideloading, a malicious log.dll was placed alongside the executable, causing it to be loaded instead of the legitimate library.” continues the report. “Two exported functions from log.dll are called by Bitdefender Submission Wizard: LogInit and LogWrite.”

The malware relied on multiple layers of obfuscation to conceal its code and make analysis harder. It used custom API hashing to avoid calling Windows functions directly and encrypted its configuration to hide key settings. After running, it set up persistence to survive reboots, collected detailed information about the infected system, and connected to a remote command-and-control server. Through this connection, attackers could run commands, move files, and take full control of compromised machines.

Chrysalis supports full remote control, including command execution, file transfer, and interactive shells. Investigators also uncovered related loaders abusing Metasploit shellcode, Cobalt Strike beacons, and even Microsoft Warbird protections, showing long-term development and a complex, multi-stage attack chain.

Researchers attribute the campaign to Lotus Blossom based on strong overlaps with prior Symantec research, including a renamed Bitdefender tool used to sideload log.dll, similar loader chains, and shared Cobalt Strike public keys across multiple samples.

“The discovery of the Chrysalis backdoor and the Warbird loader highlights an evolution in Billbug’s capabilities. While the group continues to rely on proven techniques like DLL sideloading and service persistence, their multi-layered shellcode loader and integration of undocumented system calls (NtQuerySystemInformation) mark a clear shift toward more resilient and stealth tradecraft.” concludes the report. “What stands out is the mix of tools: the deployment of custom malware (Chrysalis) alongside commodity frameworks like Metasploit and Cobalt Strike, together with the rapid adaptation of public research (specifically the abuse of Microsoft Warbird).”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Notepad++)