State-sponsored threat actors known as Lotus Blossom have successfully infiltrated the official hosting infrastructure of Notepad++, a widely used open-source code editor. This compromise, which occurred between June and December 2025, allowed the attackers to target government agencies, telecommunications firms, and critical infrastructure operators. The breach enabled Lotus Blossom to intercept and redirect traffic to the Notepad++ update server, rerouting users to malicious infrastructure for further exploitation, primarily affecting those in Southeast Asia but also reaching South America, the United States, and Europe.
Notepad++ is a crucial tool for system administrators, network engineers, and DevOps professionals, often utilized on secure systems for modifying configurations, parsing logs, and auditing code. By compromising this fundamental development tool, attackers exploited insufficient verification controls in older versions of its update component, WinGUp. This allowed them to bypass perimeter defenses and potentially gain implicit administrative access to core network infrastructure by leveraging privileged user sessions.
Lotus Blossom’s Sophisticated Attack on Notepad++ Infrastructure
The infiltration mechanism involved the exploitation of a vulnerability in WinGUp, the update component for Notepad++. When targeted users attempted to update their software, they inadvertently downloaded a malicious installer disguised as `update.exe`. Palo Alto Networks analysts, specifically their Unit 42 research team, detailed two distinct infection chains originating from this compromised installer. One variant utilized Lua script injection to deliver Cobalt Strike beacon malware, while another employed DLL sideloading techniques to deploy a custom backdoor known as Chrysalis.
In the Chrysalis backdoor deployment, the malicious installer leveraged a legitimate Bitdefender component, `BluetoothService.exe`, to load a malicious library, `log.dll`. This library, in turn, decrypted and executed the custom backdoor, establishing a persistent connection. Further analysis revealed command-and-control (C2) server communications between August and November 2025 with IP addresses 45.76.155[.]202 and 45.77.31[.]210. The threat actors demonstrated adaptability by shifting between these servers, ensuring sustained access to compromised systems.
Technical Details of the Infection Chains
The Chrysalis backdoor employed advanced evasion strategies to evade detection by security software. According to reports, attackers integrated the Microsoft Warbird code protection framework and developed custom API hashing methods. These measures were designed to reduce the likelihood of antivirus detection and maintain covert remote control over infected systems. In the Lua script injection variant, attackers used the `EnumWindowStationsW` API to inject shellcode, facilitating the delivery of the Cobalt Strike beacon malware.
The broad scope of the campaign included targets in the cloud hosting, energy, financial, government, manufacturing, and software development sectors across multiple continents. Successful connections to malicious C2 servers were observed occurring within seconds of the malicious payload download, with communication lines remaining open for extended durations. This highlights the efficiency and persistence of the Lotus Blossom group’s operations.
In response to the security incident, Notepad++ has released version 8.9.1, incorporating enhanced security measures. These updates include strengthened certificate and signature verification for downloaded installers and the implementation of XML signing for update server responses. Furthermore, Notepad++ has migrated to a new hosting provider that adheres to more robust security practices. Stricter verification protocols are slated to be enforced starting with version 8.9.2, indicating a commitment to preventing future breaches and reinforcing user trust in the software’s integrity.
The ongoing investigation into the full extent of the compromise and the specific capabilities of the Chrysalis backdoor will continue to be a priority for cybersecurity analysts. The shift by threat actors to target widely used development tools underscores the evolving landscape of cyber threats and the importance of maintaining up-to-date security practices across all software supply chains. Users are advised to update to the latest version of Notepad++ and remain vigilant regarding any suspicious software update notifications.