"A China-linked threat actor known as Lotus Blossom has been attributed with medium confidence to the recently discovered compromise of the infrastructure hosting Notepad++. The attack enabled the state-sponsored hacking group to deliver a previously undocumented backdoor codenamed Chrysalis to users of the open-source editor, according to new findings from Rapid7. The development comes shortly after Notepad++ maintainer Don Ho said that a compromise at the hosting provider level allowed threat actors to hijack update traffic starting June 2025"
""The only confirmed behavior is that execution of 'notepad++.exe' and subsequently 'GUP.exe' preceded the execution of a suspicious process 'update.exe' which was downloaded from 95.179.213.0," security researcher Ivan Feigl said. "update.exe" is a Nullsoft Scriptable Install System (NSIS) installer that contains multiple files - An NSIS installation script BluetoothService.exe, a renamed version of Bitdefender Submission Wizard that's used for DLL side-loading (a technique widely used by Chinese hacking groups) BluetoothService, encrypted shellcode (aka Chrysalis) log.dll, a malicious DLL that's sideloaded to decrypt and execute the shellcode"
Lotus Blossom, a China-linked threat actor, compromised the hosting infrastructure for Notepad++ and used targeted update-traffic redirections starting June 2025 to selectively serve a tampered update. The hosting-provider access persisted until December 2, 2025; Notepad++ patched the updater weakness in version 8.8.9 in December 2025 and migrated to a new hosting provider while rotating all credentials. Rapid7 found no artifacts showing the updater was used to distribute malware. The confirmed behavior shows notepad++.exe and GUP.exe preceded execution of update.exe downloaded from 95.179.213.0. Update.exe is an NSIS installer containing renamed Bitdefender Submission Wizard, encrypted shellcode (Chrysalis), and a malicious DLL used for sideloading.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]