Ethical Hacking News
A recent breach in the Notepad++ infrastructure has revealed a new strain of malware linked to a China-sponsored hacking group, highlighting the growing threat of supply chain attacks and the increasing sophistication of malware campaigns used by state-sponsored actors. The incident underscores the need for software maintainers to prioritize security and for hosting providers to strengthen their defenses against such threats.
Rapid7 discovered a breach in Notepad++'s infrastructure, linked to China-based state-sponsored hacking group Lotus Blossom. The breach allowed threat actors to hijack update traffic and serve tampered updates that exploited insufficient controls. A previously undocumented backdoor called Chrysalis was delivered to users of Notepad++, gathering system info and contacting an external server for further commands. Chrysalis uses a bespoke implant with features such as executing HTTP responses, creating processes, and uninstalling itself. The incident highlights the growing threat of supply chain attacks and the increasing sophistication of malware campaigns used by state-sponsored actors.
Notepad++ is one of the most popular open-source text editors used by millions of users worldwide. However, a recent breach in its infrastructure has revealed that it may have been compromised by a state-sponsored hacking group linked to China. The incident, which was attributed to a China-linked threat actor known as Lotus Blossom (also referred to as Billbug, Bronze Elgin, Lotus Blossom, Spring Dragon, and Thrip), has shed light on the growing threat of supply chain attacks and the increasing sophistication of malware campaigns used by state-sponsored actors.
According to recent findings from Rapid7, a cybersecurity research firm, the breach was discovered when Notepad++ maintainer Don Ho reported that a compromise at the hosting provider level allowed threat actors to hijack update traffic starting June 2025. The attackers selectively redirected such requests from certain users to malicious servers, serving them a tampered update that exploited insufficient update verification controls in older versions of the utility.
The weakness was plugged in December 2025 with the release of version 8.8.9. However, it has since emerged that the hosting provider for the software was breached to perform targeted traffic redirections until December 2, 2025, when the attacker's access was terminated. Notepad++ has since migrated to a new hosting provider with stronger security and rotated all credentials.
Rapid7's analysis of the incident uncovered no evidence or artifacts suggesting that the updater-related mechanism was exploited to distribute malware. However, the firm did identify a previously undocumented backdoor codenamed Chrysalis delivered to users of Notepad++. The backdoor, which is designed to gather system information and contact an external server for further commands, has been attributed to Lotus Blossom.
The Chrysalis backdoor uses a bespoke, feature-rich implant that allows it to execute various malicious actions, including processing incoming HTTP responses to spawn an interactive shell, create processes, perform file operations, upload/download files, and uninstall itself. The threat actor has also been found to use Microsoft Warbird, an undocumented internal code protection and obfuscation framework, to execute shellcode.
The Chrysalis backdoor is notable for its similarities with prior campaigns undertaken by Lotus Blossom, including one documented by Broadcom-owned Symantec in April 2025. The group continues to rely on proven techniques such as DLL side-loading and service persistence but has shifted towards more resilient and stealth tradecraft, incorporating custom malware alongside commodity frameworks like Metasploit.
Rapid7's attribution of Chrysalis to Lotus Blossom was based on the similarities between the two, including the use of legitimate executables from Trend Micro and Bitdefender to sideload malicious DLLs. The firm noted that the group's multi-layered shellcode loader and integration of undocumented system calls marked a clear shift toward more resilient tradecraft.
The incident highlights the growing threat of supply chain attacks and the increasing sophistication of malware campaigns used by state-sponsored actors. It also underscores the need for software maintainers to prioritize security and for hosting providers to strengthen their defenses against such threats.
In conclusion, the breach in Notepad++ infrastructure serves as a reminder that even seemingly innocuous applications can be vulnerable to attack. The rise of Lotus Blossom and its sophisticated malware campaigns highlights the growing threat of state-sponsored hacking groups and the need for robust cybersecurity measures to protect against such threats.
Related Information:
https://www.ethicalhackingnews.com/articles/A-China-Linked-Malware-Campaign-Unpacking-the-Notepad-Breach-and-the-Rise-of-Lotus-Blossom-ehn.shtml
Published: Mon Feb 2 23:10:10 2026 by llama3.2 3B Q4_K_M
