Ethical Hacking News
Notepad++ has been compromised by a sophisticated attack, allowing attackers to hijack its update system and deliver malware to targeted users. The attackers used custom loaders and backdoors to gain control over infected systems and conduct various forms of malicious activity.
The popular text editor software Notepad++ has been compromised by a malicious attack, allowing attackers to hijack its update system and deliver malware to targeted users. The vulnerability exploited in the attack was previously unknown and was used to intercept updates before they reached users, using a compromised hosting provider's infrastructure as a launching point for attacks. The attackers used custom loaders and backdoors, including Chrysalis, to gain control over infected systems and conduct various forms of malicious activity, such as command execution and file transfer. The attack is linked to a China-linked APT group known as Lotus Blossom, which is believed to be responsible for high-profile attacks against government, telecom, aviation, critical infrastructure, and media organizations in Southeast Asia and Central America. The developers of Notepad++ have released an update that addresses the vulnerability in question, including security patches to prevent attackers from hijacking the update mechanism.
In a recent development that has sent shockwaves through the security community, it has come to light that the popular text editor software, Notepad++, has been compromised by malicious actors. According to reports, the attack in question involved the exploitation of a previously unknown vulnerability in the update system of Notepad++. This vulnerability allowed attackers to hijack the update mechanism and deliver malware to targeted users.
The details of the attack are quite intricate and involve a multi-step process that showcases the cunning and sophistication of the attackers. According to researchers, the attack began with the compromise of the hosting provider's infrastructure, which was used by Notepad++ to distribute updates to its users. The malicious actors were able to intercept updates before they reached the users, using this compromised infrastructure as a launching point for their attacks.
Once the updates had been intercepted and tampered with, the attackers would then redirect the update traffic to malicious servers that they controlled. These servers would then push out malware-infected updates to the unsuspecting users of Notepad++. This process was able to be repeated selectively, allowing the attackers to target specific users or groups with their malware.
The malware in question is a custom backdoor known as Chrysalis, which was developed by the malicious actors. This backdoor allowed them to gain control over the infected systems and conduct various forms of malicious activity, including command execution, file transfer, and interactive shells. The attackers were also able to move laterally within the network using this backdoor, allowing them to escalate their attack.
Researchers have been working tirelessly to uncover more information about the attack in question. According to a report by Rapid7 Labs, the initial access point for the attackers was likely through a vulnerability in the hosting provider's infrastructure. The researchers were able to identify a series of malicious updates that had been pushed out by the attackers, which contained a custom loader that exploited this vulnerability.
The loader, which was designed to abuse the Microsoft Warbird protections, allowed the attackers to gain control over the infected systems and deliver the Chrysalis backdoor. This backdoor, as mentioned earlier, allowed the attackers to conduct various forms of malicious activity, including command execution and file transfer.
The attack in question has been linked to a China-linked APT group known as Lotus Blossom. This group is believed to be responsible for a number of high-profile attacks against government, telecom, aviation, critical infrastructure, and media organizations, mainly in Southeast Asia and Central America. The researchers at Rapid7 Labs believe that the attack on Notepad++ was part of a larger campaign by this group.
In response to the attack, the developers of Notepad++ have released an update that addresses the vulnerability in question. This update includes a number of security patches that prevent attackers from hijacking the update mechanism and delivering malware to users. The researchers at Rapid7 Labs have also issued a report detailing their findings on the attack, which provides more information about the tactics and techniques used by the attackers.
In conclusion, the recent attack on Notepad++ highlights the importance of staying vigilant when it comes to software security. The use of custom backdoors and loaders can allow attackers to gain control over systems and conduct various forms of malicious activity. It is essential that users keep their software up to date and be aware of the potential risks associated with using certain types of updates.
Notepad++ has been compromised by a sophisticated attack, allowing attackers to hijack its update system and deliver malware to targeted users. The attackers used custom loaders and backdoors to gain control over infected systems and conduct various forms of malicious activity.
Related Information:
https://www.ethicalhackingnews.com/articles/A-New-Layer-of-Deception-The-Sophisticated-Attack-on-Notepad-ehn.shtml
https://securityaffairs.com/188192/hacking/notepad-patches-flaw-used-to-hijack-update-system.html
https://thehackernews.com/2026/02/notepad-fixes-hijacked-update-mechanism.html
https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
https://thehackernews.com/2026/02/notepad-hosting-breach-attributed-to.html
Published: Thu Feb 19 00:46:20 2026 by llama3.2 3B Q4_K_M
