Home > Security > Security News

Notepad++ Hijacking Incident Deploying Backdoor, Linked to Lotus Blossom Group Campaign

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity Writer
Notepadd++ (1)
Summarize with:
ChatGPT logo ChatGPT Claude.ai logo Claude.ai Google AI logo Google AI Grok logo Grok Perplexity logo Perplexity
Google logo Add as preferred source on Google
Key Takeaways
  • Espionage Campaign: A suspected Chinese state-sponsored group selectively poisoned Notepad++ updates for six months in 2025.
  • Malware Deployment: Attackers deployed a novel backdoor via a compromised update mechanism, exploiting sophisticated DLL sideloading techniques.
  • Selective Targeting: The campaign employed highly selective targeting, focusing on high-value entities in East Asia to maintain stealth and persistence.

Notepad++ developer Don Ho and security researchers at Rapid7 have said that the open-source text editor's software update mechanism was likely hijacked by a Chinese state-linked espionage group that Rapid7 believes may be Lotus Blossom (also known as Lotus Panda, Billbug, Bronze Elgin, Spring Dragon, and Thrip).

This Notepad++ hijacking campaign, occurring between June and December 2025, enabled an advanced persistent threat (APT) actor to deliver malicious payloads to specific users, compromising critical environments across the government, telecommunications, aviation, and media sectors.

Backdoor Deployed via DLL Sideloading

The attack involved compromising a shared hosting server to redirect update requests from targeted users to a malicious server controlled by the hackers. This redirection facilitated the delivery of a feature-rich, previously undocumented backdoor dubbed Chrysalis. 

Execution diagram of update.exe | Source: Rapid7
Execution diagram of update.exe | Source: Rapid7

Reports say the attackers “specifically targeted” Notepad++’s web domain to exploit a now-fixed flaw and redirect some users to an attacker-controlled server. However, it is yet unclear how the intrusion occurred. 

According to Rapid7's technical analysis, the threat actors employed complex evasion techniques, packaging the malware within an NSIS installer. The execution chain utilized DLL sideloading, abusing a legitimate, renamed Bitdefender Submission Wizard (BluetoothService.exe) to load a malicious DLL and decrypt the shellcode.

Collin Hogue-Spears, Senior Director of Solution Management at Black Duck, added that attackers “filtered update requests by IP range, and hand-delivered trojanized installers to East Asian telecom and financial targets.

Kaspersky’s SecureList today announced observing three different infection chains overall, designed to attack about a dozen machines, belonging to:

Implications for Software Supply Chain Security

This Notepad++ cyberattack was highly targeted, as “traffic from certain targeted users was selectively redirected to attacker-controlled” infrastructure. “By compromising the hosting infrastructure to deliver poisoned updates, the attackers likely sought to gain Remote Code Execution (RCE) on developer workstations,” Sectigo’s Jason Soroko said.

Since compromised updates were with the same privileges as legitimate software installations bypassed local controls, “reconnaissance, credential harvesting, lateral movement, persistence, or even data exfiltration became feasible inside the target networks based on Notepad++ usage and transmitted out of the organization based on subsequent update requests,” said Morey Haber, Chief Security Advisor at BeyondTrust.

While the vulnerability exploited for the redirection was patched in November 2025 and the attacker's access was reportedly terminated by December, organizations using Notepad++ should:

This month, Chinese spies were seen exploiting the Venezuela crisis to target U.S. officials. In April 2025, Lotus Panda cyberattacks targeted Southeast Asian governments, distributing a new variant of the custom Sagerunex backdoor.

Add a Comment
Related
NSO Group VS WhatApp
Spyware Vendor’s Pall Mall Claims Trigger Civil Society Backlash
Cyber Job Moves: New Appointments Across Threat Intelligence, Identity, and Critical Infrastructure
Alleged Data Breach Targets Spain’s Ministry of Science, Innovation, and Universities
Protest - Excel - Persian Text
State-Aligned Actors Exploit Unrest with RedKitten AI-Accelerated Campaign Targeting Iranian Protests
Glassworm - Credentials - Office - Executives
Open VSX Registry Deploys GlassWorm Malware via Four Malicious Extension Versions
Hacker, Screen
Mandiant Reports ShinyHunters Extortion Tactics, Vishing, and SSO Compromise Target Cloud Environments 
Most Popular
NSO Group VS WhatApp
Spyware Vendor’s Pall Mall Claims Trigger Civil Society Backlash
Cyber Job Moves: New Appointments Across Threat Intelligence, Identity, and Critical Infrastructure
Alleged Data Breach Targets Spain’s Ministry of Science, Innovation, and Universities
Protest - Excel - Persian Text
State-Aligned Actors Exploit Unrest with RedKitten AI-Accelerated Campaign Targeting Iranian Protests
Glassworm - Credentials - Office - Executives
Open VSX Registry Deploys GlassWorm Malware via Four Malicious Extension Versions
Hacker, Screen
Mandiant Reports ShinyHunters Extortion Tactics, Vishing, and SSO Compromise Target Cloud Environments 
Spyware Vendor’s Pall Mall Claims Trigger Civil Society Backlash
Cyber Job Moves: New Appointments Across Threat Intelligence, Identity, and Critical Infrastructure
Alleged Data Breach Targets Spain’s Ministry of Science, Innovation, and Universities
State-Aligned Actors Exploit Unrest with RedKitten AI-Accelerated Campaign Targeting Iranian Protests
Open VSX Registry Deploys GlassWorm Malware via Four Malicious Extension Versions
Mandiant Reports ShinyHunters Extortion Tactics, Vishing, and SSO Compromise Target Cloud Environments 

Most Popular
NSO Group VS WhatApp
Spyware Vendor’s Pall Mall Claims Trigger Civil Society Backlash
Cyber Job Moves: New Appointments Across Threat Intelligence, Identity, and Critical Infrastructure
Alleged Data Breach Targets Spain’s Ministry of Science, Innovation, and Universities
Protest - Excel - Persian Text
State-Aligned Actors Exploit Unrest with RedKitten AI-Accelerated Campaign Targeting Iranian Protests
Glassworm - Credentials - Office - Executives
Open VSX Registry Deploys GlassWorm Malware via Four Malicious Extension Versions
Hacker, Screen
Mandiant Reports ShinyHunters Extortion Tactics, Vishing, and SSO Compromise Target Cloud Environments 
Spyware Vendor’s Pall Mall Claims Trigger Civil Society Backlash
Cyber Job Moves: New Appointments Across Threat Intelligence, Identity, and Critical Infrastructure
Alleged Data Breach Targets Spain’s Ministry of Science, Innovation, and Universities
State-Aligned Actors Exploit Unrest with RedKitten AI-Accelerated Campaign Targeting Iranian Protests
Open VSX Registry Deploys GlassWorm Malware via Four Malicious Extension Versions
Mandiant Reports ShinyHunters Extortion Tactics, Vishing, and SSO Compromise Target Cloud Environments 

TechNadu keeps you informed with the latest in cybersecurity, VPNs, and technology. From expert guides to in-depth reviews, we provide the knowledge you need to stay secure and connected in the digital world.

© 2026 TechNadu. All Rights Reserved. TechNadu is a part of Leaprove Media LLP.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: