Notepad++ Hijacking Incident Deploying Backdoor, Linked to Lotus Blossom Group Campaign
Published
Key Takeaways
- Espionage Campaign: A suspected Chinese state-sponsored group selectively poisoned Notepad++ updates for six months in 2025.
- Malware Deployment: Attackers deployed a novel backdoor via a compromised update mechanism, exploiting sophisticated DLL sideloading techniques.
- Selective Targeting: The campaign employed highly selective targeting, focusing on high-value entities in East Asia to maintain stealth and persistence.
Notepad++ developer Don Ho and security researchers at Rapid7 have said that the open-source text editor's software update mechanism was likely hijacked by a Chinese state-linked espionage group that Rapid7 believes may be Lotus Blossom (also known as Lotus Panda, Billbug, Bronze Elgin, Spring Dragon, and Thrip).
This Notepad++ hijacking campaign, occurring between June and December 2025, enabled an advanced persistent threat (APT) actor to deliver malicious payloads to specific users, compromising critical environments across the government, telecommunications, aviation, and media sectors.
Backdoor Deployed via DLL Sideloading
The attack involved compromising a shared hosting server to redirect update requests from targeted users to a malicious server controlled by the hackers. This redirection facilitated the delivery of a feature-rich, previously undocumented backdoor dubbed Chrysalis.
Reports say the attackers “specifically targeted” Notepad++’s web domain to exploit a now-fixed flaw and redirect some users to an attacker-controlled server. However, it is yet unclear how the intrusion occurred.
According to Rapid7's technical analysis, the threat actors employed complex evasion techniques, packaging the malware within an NSIS installer. The execution chain utilized DLL sideloading, abusing a legitimate, renamed Bitdefender Submission Wizard (BluetoothService.exe) to load a malicious DLL and decrypt the shellcode.
Collin Hogue-Spears, Senior Director of Solution Management at Black Duck, added that attackers “filtered update requests by IP range, and hand-delivered trojanized installers to East Asian telecom and financial targets.”
Implications for Software Supply Chain Security
This Notepad++ cyberattack was highly targeted, as “traffic from certain targeted users was selectively redirected to attacker-controlled” infrastructure. “By compromising the hosting infrastructure to deliver poisoned updates, the attackers likely sought to gain Remote Code Execution (RCE) on developer workstations,” Sectigo’s Jason Soroko said.
Since compromised updates were with the same privileges as legitimate software installations bypassed local controls, “reconnaissance, credential harvesting, lateral movement, persistence, or even data exfiltration became feasible inside the target networks based on Notepad++ usage and transmitted out of the organization based on subsequent update requests,” said Morey Haber, Chief Security Advisor at BeyondTrust.
While the vulnerability exploited for the redirection was patched in November 2025 and the attacker's access was reportedly terminated by December, organizations using Notepad++ should:
- Update to version 8.9.1 or later,
- Adopt a zero-trust approach to software updates,
- Ensure the integrity of the update channel,
- Vet hosting/CDN providers for security practices,
- Regular threat hunting around trusted paths and incident response readiness.
This month, Chinese spies were seen exploiting the Venezuela crisis to target U.S. officials. In April 2025, Lotus Panda cyberattacks targeted Southeast Asian governments, distributing a new variant of the custom Sagerunex backdoor.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular