A recent Notepad++ breach has ties to Lotus Blossom, a China-linked threat actor, according to cybersecurity firm Rapid7. Specifically, hackers compromised the software’s hosting infrastructure and delivered a new backdoor called Chrysalis to select users.
The campaign began in June 2025. At that time, attackers exploited weak update verification in older Notepad++ versions to redirect certain users to malicious servers. As a result, these users received tampered updates that installed malware. Later, developers patched the flaw in version 8.8.9, released in December 2025. Following the fix, Notepad++ moved to a more secure hosting provider and reset all credentials.
Importantly, Rapid7 found no signs that hackers altered plugins or updater code. Instead, they hijacked the update delivery system itself. For example, when users ran the legitimate updater (GUP.exe), it downloaded a malicious file named “update.exe” from 95.179.213.0.
This file turned out to be an NSIS installer. It included a renamed Bitdefender tool (BluetoothService.exe) that enabled DLL sideloading—a tactic Chinese groups often use. Then, a malicious DLL (log.dll) decrypted and ran the Chrysalis shellcode.
Chrysalis functions as a feature-rich implant. It gathers system information and contacts a command-and-control server at “api.skycloudcenter[.]com” for further instructions. Although the server is now offline, researchers confirmed the malware can spawn shells, manage files, upload data, and uninstall itself.
In addition, analysts uncovered a config file (“conf.c”) that fetches a Cobalt Strike beacon using a custom loader. One such loader, “ConsoleApplication2.exe,” abused Microsoft Warbird—an undocumented obfuscation framework—by adapting public code from German firm Cirosec.
Rapid7 linked the attack to Lotus Blossom based on similarities with past operations. For instance, in April 2025, Symantec documented a related campaign that used legitimate security software for DLL sideloading.
Meanwhile, Kaspersky observed three infection chains between July and October 2025. These targeted about a dozen high-value victims in Vietnam, El Salvador, Australia, and the Philippines—including government, finance, and IT organizations.
Each chain evolved monthly. Early versions used ProShow software for sideloading and sent basic system data like “whoami” and “tasklist.” Later, variants added “netstat” and “systeminfo,” rotated C2 domains like self-dns.it[.]com, and changed payload URLs frequently.
By October, attackers used three filenames—update.exe, install.exe, and AutoUpdater.exe—from the same IP to mix execution patterns. Critically, all chains ultimately deployed Cobalt Strike beacons through Metasploit downloaders.
Notably, no malicious payloads appeared after November 2025. This suggests the campaign ended once defenders exposed the breach.
In summary, this Notepad++ breach shows how software supply chains remain prime targets. Because attackers compromised update mechanisms, they achieved precise, global access. As Kaspersky noted, their constant tactical shifts made this one of the stealthiest supply chain attacks in recent years.
