Ethical Hacking News
A recent breach of Notepad++ hosting infrastructure has been linked to the notorious China-nexus Advanced Persistent Threat (APT) group, codenamed Lotus Blossom. This sophisticated campaign, which has been active since 2009, has been attributed to nation-state backed attackers for their highly selective targeting and advanced tactics.
Rapid7 Labs has linked a recent breach of Notepad++ hosting infrastructure to the Lotus Blossom Advanced Persistent Threat (APT) group. The breach, which occurred in June 2025, involved an infrastructure-level compromise that allowed attackers to hijack update traffic destined for notepad-plus-plus.org. The attack exploited internal credentials and used custom API hashing and encryption to conceal its code. The malware, dubbed Chrysalis, set up persistence, collected information about the infected system, and connected to a remote command-and-control server. Chrysalis supported full remote control, including command execution, file transfer, and interactive shells.
In a shocking revelation, researchers at Rapid7 Labs have uncovered evidence suggesting that a recent breach of Notepad++ hosting infrastructure is likely linked to the notorious China-nexus Advanced Persistent Threat (APT) group, codenamed Lotus Blossom. This sophisticated campaign, which has been active since 2009, has been attributed to the nation-state backed attackers for their highly selective targeting and advanced tactics.
The breach, which occurred in June 2025, compromised a shared hosting server used by Notepad++, allowing malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org. This attack did not exploit vulnerabilities in Notepad++ code itself but rather involved infrastructure-level compromise that allowed attackers to hijack the update process.
According to reports published by the software maintainers, the incident began with the exploitation of internal credentials, which were later used to redirect Notepad++ update traffic to malicious servers. The hosting provider moved all affected customers to a new server, fixed vulnerabilities, and rotated credentials that may have been exposed after the attack.
Investigators attribute the campaign to Lotus Blossom based on strong overlaps with prior Symantec research, including the use of renamed Bitdefender tools, similar loader chains, shared Cobalt Strike public keys across multiple samples, and rapid adaptation of public research.
The malware, dubbed Chrysalis, relied on multiple layers of obfuscation to conceal its code and make analysis harder. It used custom API hashing to avoid calling Windows functions directly and encrypted its configuration to hide key settings. After running, it set up persistence to survive reboots, collected detailed information about the infected system, and connected to a remote command-and-control server.
Through this connection, attackers could run commands, move files, and take full control of compromised machines. Chrysalis supports full remote control, including command execution, file transfer, and interactive shells.
Researchers also uncovered related loaders abusing Metasploit shellcode, Cobalt Strike beacons, and even Microsoft Warbird protections, demonstrating long-term development and a complex, multi-stage attack chain.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Notepad-Infrastructure-Hack-Unveiling-the-China-Nexus-APT-Lotus-Blossom-Campaign-ehn.shtml
https://securityaffairs.com/187570/apt/notepad-infrastructure-hack-likely-tied-to-china-nexus-apt-lotus-blossom.html
https://thehackernews.com/2026/02/notepad-hosting-breach-attributed-to.html
https://cyberscoop.com/china-espionage-group-lotus-blossom-attacks-notepad/
https://www.zscaler.com/blogs/security-research/illusory-wishes-china-nexus-apt-targets-tibetan-community
Published: Tue Feb 3 15:38:11 2026 by llama3.2 3B Q4_K_M
