China-Linked Lotus Blossom Group Behind Notepad++ Hosting Cyberattack

 


Notepad++ Hosting Breach Linked to China-Linked Lotus Blossom APT, “Chrysalis” Backdoor Discovered

A China-linked cyber-espionage group known as Lotus Blossom has been attributed with medium confidence to the compromise of infrastructure used to host Notepad++, the widely used open-source text editor. The incident enabled attackers to deliver a previously undocumented backdoor dubbed Chrysalis to a select group of users, according to research from Rapid7.


The attack represents a targeted software supply chain intrusion, where threat actors manipulated the update delivery process rather than breaching the Notepad++ codebase itself.

Hosting Provider Compromise Enabled Update Hijacking

Notepad++ maintainer Don Ho confirmed that the breach occurred at the hosting provider level, allowing attackers to hijack update traffic beginning in June 2025. The adversaries selectively redirected update requests from certain users to malicious servers, serving a tampered installer.

The attack exploited insufficient update verification mechanisms present in older Notepad++ versions. This weakness was resolved in December 2025 with the release of version 8.8.9.

Key response actions taken:

  • Malicious redirections stopped on December 2, 2025

  • Hosting infrastructure migrated to a new, more secure provider

  • All credentials rotated

  • No evidence found that plugin systems or official updater mechanisms were directly abused

Infection Chain: From Update to Backdoor

Rapid7 observed the following execution sequence on affected systems:

  1. notepad++.exe launches

  2. The legitimate updater GUP.exe runs

  3. A suspicious update.exe file is downloaded from 95.179.213.0

The malicious update.exe was a Nullsoft Scriptable Install System (NSIS) installer containing:

  • An NSIS installation script

  • BluetoothService.exe (a renamed Bitdefender Submission Wizard binary used for DLL sideloading)

  • Encrypted shellcode (Chrysalis)

  • log.dll, a malicious DLL responsible for decrypting and executing the shellcode

DLL sideloading is a technique commonly associated with Chinese APT groups.

Chrysalis Backdoor Capabilities

Chrysalis is a custom, feature-rich implant designed for espionage. It collects system information and contacts the C2 domain api.skycloudcenter[.]com (currently offline).

Capabilities include:

  • Spawning interactive shells

  • Creating and managing processes

  • File operations (upload/download/delete)

  • Self-uninstallation

  • Processing commands delivered via HTTP responses

Rapid7 also identified a component (conf.c) designed to retrieve a Cobalt Strike beacon using a custom loader that embeds Metasploit Block API shellcode.

Advanced Tradecraft and Warbird Abuse

One loader, ConsoleApplication2.exe, used Microsoft Warbird, an undocumented internal code obfuscation framework. The attackers appear to have adapted a public proof-of-concept published by Cirosec in September 2024.

Researchers noted:

  • Continued use of DLL sideloading and service persistence

  • Multi-layered shellcode loaders

  • Integration of undocumented system calls like NtQuerySystemInformation

  • Blending custom malware with commodity tools (Metasploit and Cobalt Strike)

This evolution signals more resilient and stealthy tradecraft.

Attribution to Lotus Blossom

Rapid7 linked Chrysalis to Lotus Blossom (also tracked as Billbug, Bronze Elgin, Lotus Panda, Raspberry Typhoon, Spring Dragon, and Thrip) based on overlaps with earlier campaigns. A previous operation documented by Symantec in April 2025 also used legitimate security software binaries for DLL sideloading.

Kaspersky Observes Three Infection Chains

Kaspersky identified three distinct infection chains targeting a small set of high-value organizations and individuals in:

  • Vietnam

  • El Salvador

  • Australia

  • Philippines (government entity)

  • Financial and IT service sectors

Attackers rotated C2 servers, loaders, and payloads between July and October 2025.

Common Traits Across Chains

  • Malicious NSIS installers

  • System reconnaissance (whoami, tasklist, netstat, systeminfo)

  • Metasploit downloaders

  • Final-stage Cobalt Strike beacons

By November 2025, Kaspersky observed no further payload deployment.

A Growing Software Supply Chain Threat

This incident highlights how software update mechanisms remain prime targets for state-sponsored attackers. By breaching update infrastructure rather than source code, adversaries can conduct highly selective, stealthy intrusions into sensitive organizations worldwide.

The Notepad++ case underscores the importance of:

  • Strong cryptographic update validation

  • Hosting provider security monitoring

  • Rapid patch adoption

  • Network-level anomaly detection for update traffic

By at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

China-Linked Lotus Blossom Group Behind Notepad++ Hosting Cyberattack

  Notepad++ Hosting Breach Linked to China-Linked Lotus Blossom APT, “Chrysalis” Backdoor Discovered A China-linked cyber-espionage group k...