top of page
Search

Notepad++ Targeted by China-Based Espionage Group for Six Months

  • Feb 2
  • 2 min read

Key Findings


  • China-based espionage group Lotus Blossom compromised the internal systems of Notepad++, a popular open-source code editor, for nearly six months starting in June 2025.

  • The group deployed various payloads, including a custom backdoor, to selectively spy on a limited set of Notepad++ users' activities.

  • The campaign showcased resilience and stealth tradecraft, but did not result in a mass compromise of all Notepad++ users.

  • The attackers exploited "insufficient update verification controls" in older versions of Notepad++ to hijack the software's update mechanism and deliver malicious updates.

  • Notepad++ has since migrated to a new hosting provider and overhauled its update mechanism to address the vulnerabilities.


Background


Notepad++ is an extremely popular open-source code editor, widely used by developers, IT administrators, engineers, and analysts, including those in government, telecom, critical infrastructure, and media sectors.


The Chinese APT group Lotus Blossom, also known as Billbug, Thrip, and Raspberry Typhoon, has been active since at least 2009 and is believed to be a state-sponsored hacking group.


Compromise Details


  • Lotus Blossom gained recurring access to Notepad++'s internal systems and servers, compromising the tool's update infrastructure.

  • The group deployed various payloads, including a custom backdoor, to selectively monitor the activities of a limited number of targeted Notepad++ users.

  • The attacks did not result in a mass compromise of all Notepad++ users, but rather a targeted, espionage-focused campaign.

  • The attackers exploited "insufficient update verification controls" in older versions of Notepad++ to hijack the software's update mechanism and deliver malicious updates.

  • The compromise lasted for nearly six months, from June 2025 until early December 2025, when the hosting provider evicted the attackers.


Response and Mitigation


  • Notepad++'s developer, Don Ho, released a software update on December 9, 2025, addressing the authentication weaknesses that allowed the attackers to hijack the Notepad++ updater client and user traffic.

  • The Notepad++ project has migrated its website to a new hosting provider with stronger security practices.

  • The software's update mechanism, WinGup, has been significantly overhauled in version 8.8.9, with the ability to verify the certificate and signature of downloaded installers, as well as the implementation of XMLDSig to ensure the authenticity of update instructions.

  • Users are strongly advised to update to version 8.8.9 or later to benefit from the new verification protections.


Conclusion


The China-based espionage group Lotus Blossom successfully compromised the internal systems of Notepad++ for nearly six months, leveraging the tool's update mechanism to selectively target a limited set of users. The campaign showcased the group's resilience and stealth tradecraft, but did not result in a mass compromise. Notepad++ has since taken steps to secure its infrastructure and update process, mitigating the immediate threat.


Sources


  • https://cyberscoop.com/china-espionage-group-lotus-blossom-attacks-notepad/

  • https://securityonline.info/notepad-hijacked-state-sponsored-actors-poisoned-updates-for-months/

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page