Lotus Blossom Hackers Breach Notepad++ Infrastructure, Targeting Global Sectors
Between June and December 2025, the state-sponsored cyber espionage group known as Lotus Blossom infiltrated the official hosting infrastructure of Notepad++, a widely used open-source code editor. This sophisticated attack primarily targeted users within government agencies, telecommunications firms, and critical infrastructure sectors across Southeast Asia, with additional victims identified in South America, the United States, and Europe.
Infiltration Tactics
The attackers gained unauthorized access by compromising the shared hosting environment of Notepad++’s service provider. This breach enabled them to intercept and redirect traffic intended for the Notepad++ update server to their own malicious infrastructure. By exploiting this access, Lotus Blossom selectively targeted specific users, effectively bypassing traditional security measures.
Significance of Targeting Notepad++
Notepad++ is a lightweight, open-source code editor favored by system administrators, network engineers, and DevOps professionals for tasks such as modifying server configurations, parsing system logs, and auditing code on secure systems where larger applications may be impractical. By compromising this trusted tool, attackers could infiltrate core network infrastructures by piggybacking on the sessions of privileged users.
Exploitation of Update Mechanism
The attack leveraged vulnerabilities in older versions of WinGUp, the Notepad++ updater component, which lacked sufficient verification controls. When targeted users attempted to update their software, they unknowingly downloaded a malicious NSIS installer named `update.exe`. This installer initiated a complex infection chain, including:
– Lua Script Injection Variant: Delivered Cobalt Strike beacon malware.
– DLL Sideloading Technique: Deployed the Chrysalis backdoor by misusing a legitimate Bitdefender component (`BluetoothService.exe`) to load a malicious library (`log.dll`), which then decrypted and executed the custom backdoor.
Between August and November 2025, the attackers maintained persistent access by communicating with command-and-control servers at IP addresses 45.76.155[.]202 and 45.77.31[.]210, shifting between servers to evade detection.
Advanced Evasion Techniques
The Chrysalis backdoor employed sophisticated methods to avoid detection, including:
– Microsoft Warbird Code Protection Framework: Enhanced code obfuscation.
– Custom API Hashing Methods: Reduced the likelihood of antivirus detection.
In the Lua script injection variant, attackers used the `EnumWindowStationsW` API to inject shellcode and deliver Cobalt Strike beacon malware.
Scope of the Attack
The campaign targeted multiple sectors, including cloud hosting, energy, financial services, government, manufacturing, and software development, across various continents. Successful beacons to malicious servers occurred within seconds of downloading the malicious payload, with communication persisting for extended periods.
Mitigation and Response
In response to the breach, Notepad++ released version 8.9.1, incorporating enhanced security measures such as:
– Certificate and Signature Verification: Ensured the authenticity of downloaded installers.
– XML Signing of Update Server Responses: Added an extra layer of security to update communications.
The developers also migrated to a new hosting provider with stronger security practices and plan to enforce stricter verification protocols starting with version 8.9.2.
