A China-based threat group, identified as Lotus Blossom, is suspected of compromising the internal systems of Notepad++, a widely used open-source code editor, to conduct espionage against a targeted group of users. The intrusion, which began in June 2025 and lasted for approximately six months, allowed the attackers to gain recurring access and deploy surveillance tools.
Security researchers at Rapid7 first disclosed the breach on Monday, detailing how the sophisticated attackers, also known by aliases such as Billbug and Raspberry Typhoon, exploited vulnerabilities in Notepad++’s update mechanism. Don Ho, the maintainer of Notepad++, confirmed the cybersecurity firm’s findings and released a software update on December 9 to address the identified authentication weaknesses that enabled the hijacking of the updater client and user traffic.
Lotus Blossom espionage campaign targets Notepad++
The threat group Lotus Blossom has been active since at least 2009, and its operational tactics indicate a focus on long-term strategic intelligence gathering rather than immediate financial gain or broad data theft. According to Rapid7’s analysis, the group deployed a custom backdoor and other payloads to monitor the activities of a select number of users.
“We have no evidence of bulk data exfiltration,” Christiaan Beek, senior director of threat intelligence and analytics at Rapid7, told CyberScoop. “The tooling observed is consistent with post-compromise reconnaissance, command execution, and selective data access, rather than broad data harvesting.”
Stealthy operations and limited scope
The attacks were characterized by their resilience and stealth, avoiding a widespread compromise of all Notepad++ users. Instead, the threat actors focused on infiltrating a limited number of specific environments. This selective approach suggests a deliberate targeting strategy.
“Post-compromise behavior included system profiling, persistence mechanisms, and remote command execution consistent with long-term espionage access rather than immediate disruption or monetization,” Beek added. “The objective appears aligned with strategic intelligence collection, consistent with Lotus Blossom’s historical operations.”
The former hosting provider for Notepad++ confirmed that the attackers lost direct access to the tool’s server on September 2. However, they maintained unauthorized access to legitimate credentials for internal services until December 2, which facilitated the redirection of Notepad++ update traffic to malicious servers.
Ho did not specify a timeline for when the unauthorized access was first detected. The Notepad++ website, which was exploited due to “insufficient update verification controls that existed in older versions of Notepad++,” has since been migrated to a new hosting provider with enhanced security protocols.
Disruption and user precautions
Beek confirmed that Lotus Blossom’s unauthorized access appears to have been disrupted, noting that its known infrastructure linked to the months-long campaign is no longer active. Reports from some security researchers concerning incidents possibly linked to the Notepad++ compromise began to emerge in November.
While Notepad++’s internal system improvements are believed to have halted the malicious activity, Beek strongly advises users running older versions of the software to update as a precautionary measure. “We are not seeing ongoing active exploitation tied to this campaign,” he stated.
Lotus Blossom has a history of targeting software that offers potential access to sensitive targets. Notepad++, first released in 2003 as an alternative to Windows Notepad, is widely adopted by developers, IT administrators, engineers, and analysts, including professionals in government, telecommunications, critical infrastructure, and media sectors. This broad user base makes it a valuable target for espionage groups.
The incident has prompted widespread discussion among cybersecurity researchers and users on social media, with many expressing concerns about the potential long-term implications of the intrusion and the ultimate objectives of this sophisticated spy campaign.
“Observed activity suggests selective, targeted follow-on exploitation,” Beek concluded. “not opportunistic mass infection.”
The immediate next step for users is to ensure their Notepad++ installations are updated to the latest version to mitigate any residual risks. The ongoing investigation will likely focus on identifying the specific individuals or organizations targeted to understand the full scope of Lotus Blossom’s intelligence-gathering efforts. Further analysis of the threat group’s methods and infrastructure may also be undertaken by cybersecurity firms.