Notepad++ hijacking linked to Chinese Lotus Blossom crew • The Register

https://www.theregister.com/2026/02/02/notepad_hijacking_lotus_blossom/

Publish Date: 2026-02-02 18:23:00

Security researchers have attributed the Notepad++ update hijacking to a Chinese government-linked espionage crew called Lotus Blossom (aka Lotus Panda, Billbug), which abused weaknesses in the update infrastructure to gain a foothold in high-value targets by delivering a newly identified backdoor dubbed Chrysalis.

Early Monday, the text editor’s project author said a suspected Chinese state-sponsored group somehow compromised a shared hosting server and selectively redirected some update traffic to an attacker-controlled site where victims downloaded a poisoned version of what appeared to be a legit software update.

Later on Monday, Rapid7’s managed detection and response team attributed the attack “with moderate confidence” to the Chinese advanced persistent threat (APT) group they call Lotus Blossom.

This group typically conducts targeted cyber-espionage campaigns against organizations in Southeast Asia – and more recently Central America – with a focus on government, telecom, aviation, critical infrastructure, and media sectors.

According to the threat hunters, the espionage crew used the hijacked Notepad++ update to deliver a previously unknown backdoor called Chrysalis.

Notepad++ author Don Ho did not immediately respond to The Register’s inquiries about Rapid7’s attribution and malware analysis. We will update this story if we hear back.

While it’s still unclear exactly how the miscreants gained initial access to Notepad++’s distribution infrastructure, once inside they abused that access to deliver a trojanized update in the form of an NSIS installer, a packaging format commonly abused by Chinese APT groups to deliver initial payloads.

The installer contained an executable file named “BluetoothService.exe,” which is a renamed legitimate Bitdefender Submission Wizard abused for DLL sideloading – another…

Source