Notepad++ Hosting Breach Linked to Chinese State-Sponsored Hackers
In a significant cybersecurity incident, the infrastructure hosting the popular open-source text editor Notepad++ was compromised, allowing attackers to distribute a previously unknown backdoor named Chrysalis to its users. Security firm Rapid7 has attributed this breach, with medium confidence, to the China-linked threat actor known as Lotus Blossom.
Details of the Breach
The attack was executed by infiltrating the hosting provider’s infrastructure, enabling the adversaries to intercept and redirect update requests from Notepad++ users to malicious servers. This redirection facilitated the delivery of a tampered update containing the Chrysalis backdoor. The vulnerability exploited in this attack was addressed in December 2025 with the release of Notepad++ version 8.8.9. The hosting provider’s breach allowed targeted traffic redirections until December 2, 2025, when the attackers’ access was terminated. In response, Notepad++ migrated to a new hosting provider with enhanced security measures and rotated all credentials to prevent future incidents.
Technical Analysis of Chrysalis
Rapid7’s investigation revealed that the malicious update process involved the execution of ‘notepad++.exe’ and ‘GUP.exe,’ leading to the download and execution of a suspicious process named ‘update.exe’ from the IP address 95.179.213.0. This ‘update.exe’ is a Nullsoft Scriptable Install System (NSIS) installer containing multiple components:
– NSIS Installation Script: Manages the installation process.
– BluetoothService.exe: A renamed version of Bitdefender Submission Wizard, utilized for DLL side-loading—a technique commonly employed by Chinese hacking groups.
– BluetoothService: Encrypted shellcode, referred to as Chrysalis.
– log.dll: A malicious DLL that is sideloaded to decrypt and execute the shellcode.
Chrysalis is a sophisticated implant designed to gather system information and communicate with an external server, ‘api.skycloudcenter[.]com,’ to potentially receive additional commands for execution on the infected host. Although the command-and-control server is currently offline, analysis indicates that Chrysalis can process incoming HTTP responses to spawn an interactive shell, create processes, perform file operations, upload/download files, and uninstall itself.
Attribution to Lotus Blossom
Rapid7’s attribution of Chrysalis to Lotus Blossom is based on similarities with previous campaigns conducted by the group. Notably, a campaign documented by Symantec in April 2025 involved the use of legitimate executables from Trend Micro and Bitdefender to sideload malicious DLLs. Lotus Blossom, also known as Billbug, Bronze Elgin, Spring Dragon, and Thrip, has a history of employing such techniques.
The group’s tactics have evolved to include multi-layered shellcode loaders and the integration of undocumented system calls, indicating a shift toward more resilient and stealthy tradecraft. The deployment of custom malware like Chrysalis alongside commodity frameworks such as Metasploit and Cobalt Strike, coupled with the rapid adaptation of public research, demonstrates Lotus Blossom’s commitment to updating its playbook to evade modern detection mechanisms.
Implications and Recommendations
This incident underscores the critical importance of securing software supply chains and the potential risks associated with compromised update mechanisms. Users are advised to:
– Update Notepad++: Ensure that Notepad++ is updated to version 8.8.9 or later to mitigate the vulnerability exploited in this attack.
– Verify Update Sources: Always download software updates from official and trusted sources.
– Implement Security Best Practices: Organizations should adopt comprehensive security measures, including regular monitoring of network traffic, to detect and respond to suspicious activities promptly.
By staying vigilant and proactive, users and organizations can better protect themselves against sophisticated cyber threats like those posed by state-sponsored actors.
