top of page
Search

Notepad++ Fixes Vulnerability Used to Hijack Update System

  • 18 hours ago
  • 1 min read

Key Findings


  • Notepad++ patched a vulnerability that attackers used to hijack its update system and deliver malware to targeted users

  • The attack involved infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org

  • The compromise was linked to a likely China-linked APT group called Lotus Blossom, which has been active since 2009 and targets government, telecom, aviation, critical infrastructure, and media organizations


Background


  • The incident began in June 2025 and lasted until December 2, 2025

  • Attackers compromised a shared hosting server and later used stolen internal credentials to redirect Notepad++ update traffic to malicious servers

  • The hosting provider moved affected customers to a new server, fixed the vulnerabilities, and rotated all exposed credentials


Technical Details


  • Rapid7 Labs uncovered a sophisticated campaign tied to Lotus Blossom APT

  • Attackers deployed a new custom backdoor dubbed Chrysalis, along with stealthy loaders that abused Microsoft Warbird to conceal malicious code execution

  • The malware used custom API hashing, encrypted configuration, and other obfuscation techniques to evade analysis

  • Chrysalis supports full remote control, including command execution, file transfer, and interactive shells


Impact and Response


  • The compromise allowed attackers to selectively push malware to targeted users, spanning cloud hosting, energy, financial, government, manufacturing, and software development sectors

  • Notepad++ version 8.9.2 addressed the issue by introducing a "double lock" update system that verifies the signed installer and update server response

  • Additional security-focused changes were made to the auto-updater component to mitigate DLL side-loading and other risks


Sources


  • https://securityaffairs.com/188192/hacking/notepad-patches-flaw-used-to-hijack-update-system.html

  • https://thehackernews.com/2026/02/notepad-fixes-hijacked-update-mechanism.html

  • https://x.com/securityaffairs/status/2024204394904924548

  • https://www.reddit.com/r/cybersecurity/comments/1r8gqtn/notepad_has_a_rough_week_patches_flaw_used_to/

  • https://www.youtube.com/watch?v=MGisfDrdbGo

Recent Posts

See All
APT Exploits Dell RecoverPoint Zero-Day Since 2024

Key Findings A suspected China-linked APT group, UNC6201, has been exploiting a critical zero-day vulnerability in Dell RecoverPoint for Virtual Machines since mid-2024. The vulnerability, tracked as

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page