Key Findings

• The Notepad++ hosting infrastructure was compromised, allowing threat actors to hijack update traffic and deliver a previously undocumented backdoor codenamed Chrysalis

• The attack has been attributed with medium confidence to the China-linked advanced persistent threat (APT) group known as Lotus Blossom (aka Billbug, Bronze Elgin, Lotus Panda, Raspberry Typhoon, Spring Dragon, and Thrip)

• The compromise occurred at the hosting provider level, not due to vulnerabilities in Notepad++ itself

• Attackers exploited insufficient update verification controls in older versions of Notepad++ to selectively redirect user update requests to malicious servers

• The weakness was addressed in version 8.8.9 released in December 2025, and Notepad++ has since migrated to a new hosting provider with stronger security

Background

Notepad++ is a widely used open-source text editor, popular among IT administrators, developers, students, and security researchers. The software's hosting infrastructure was recently discovered to have been compromised, enabling threat actors to hijack update traffic and deliver a previously undocumented backdoor known as Chrysalis.

Lotus Blossom Attributed to the Attack

Rapid7's analysis has attributed the Notepad++ hosting breach with medium confidence to the China-linked advanced persistent threat (APT) group known as Lotus Blossom (aka Billbug, Bronze Elgin, Lotus Panda, Raspberry Typhoon, Spring Dragon, and Thrip). This attribution is based on similarities with the group's previous campaigns, including the use of legitimate executables for DLL side-loading and the integration of undocumented system calls for stealth and resilience.

Compromise Timeline and Remediation

The initial breach occurred in June 2025 and continued in various forms until at least November, with possible access lasting until December 2, 2025. The compromise was at the hosting provider level, exploiting insufficient update verification controls in older versions of Notepad++ to selectively redirect user update requests to malicious servers.

The weakness was addressed in version 8.8.9 released in December 2025, and Notepad++ has since migrated to a new hosting provider with stronger security measures, including the implementation of signed update responses and stricter enforcement of certificate validation.

Malware Analysis: Chrysalis Backdoor

The delivered malware, codenamed Chrysalis, is a feature-rich implant that gathers system information and contacts an external command-and-control (C2) server to receive additional commands. It is capable of processing incoming HTTP responses to spawn an interactive shell, create processes, perform file operations, upload/download files, and uninstall itself.

The threat actor has also been found to copy and modify an existing proof-of-concept (PoC) published by a German cybersecurity company to execute shellcode using Microsoft's undocumented Warbird framework for code protection and obfuscation.

Infection Chains and Targeted Victims

Kaspersky researchers observed three different infection chains targeting individuals in Vietnam, El Salvador, and Australia, a government organization in the Philippines, a financial organization in El Salvador, and an IT service provider in Vietnam. The attackers constantly rotated C2 server addresses, downloaders, and final payloads over the course of four months from July to October 2025.

Conclusion

The Notepad++ hosting breach highlights the ongoing risks associated with supply chain attacks, where trusted software distribution channels can be compromised to target users. The selective nature of the redirections and the patience and precision involved suggest the involvement of a state-sponsored advanced persistent threat group, in this case, the China-linked Lotus Blossom.

The incident serves as a stark reminder of the importance of maintaining strong security practices, including keeping systems up-to-date, monitoring for unusual behavior, and verifying the integrity of software updates, even for widely used and trusted applications.

Sources

• https://thehackernews.com/2026/02/notepad-hosting-breach-attributed-to.html

• https://hackread.com/notepad-updates-malware-hosting-breach/

• https://securityaffairs.com/187570/apt/notepad-infrastructure-hack-likely-tied-to-china-nexus-apt-lotus-blossom.html

• https://x.com/shah_sheikh/status/2018549771431014546

• https://www.theregister.com/2026/02/02/notepad_hijacking_lotus_blossom/

• https://www.facebook.com/thehackernews/posts/-china-linked-lotus-blossom-compromised-notepad-hosting-infrastructure-to-hijack/1284335237064390/