Notepad++ Hosting Breach Attributed to China-Linked Lotus Blossom Hacking Group

Staff Editor 2026-02-02
Notepad++ Hosting Breach Attributed to China-Linked Lotus Blossom Hacking Group

Notepad++ Hosting Breach Attributed to China-Linked Lotus Blossom Hacking Group

https://thehackernews.com/2026/02/notepad-hosting-breach-attributed-to.html

Publish Date: 2026-02-02 23:55:00

Source Domain: thehackernews.com

A China-linked threat actor known as Lotus Blossom has been attributed with medium confidence to the recently discovered compromise of the infrastructure hosting Notepad++.

The attack enabled the state-sponsored hacking group to deliver a previously undocumented backdoor codenamed Chrysalis to users of the open-source editor, according to new findings from Rapid7.

The development comes shortly after Notepad++ maintainer Don Ho said that a compromise at the hosting provider level allowed threat actors to hijack update traffic starting June 2025 and selectively redirect such requests from certain users to malicious servers to serve a tampered update by exploiting insufficient update verification controls that existed in older versions of the utility.

The weakness was plugged in December 2025 with the release of version 8.8.9. It has since emerged that the hosting provider for the software was breached to perform targeted traffic redirections until December 2, 2025, when the attacker’s access was terminated. Notepad++ has since migrated to a new hosting provider with stronger security and rotated all credentials.

Rapid7’s analysis of the incident has uncovered no evidence or artifacts to suggest that the site’s plugin or updater-related mechanisms were exploited to distribute malware.

Cybersecurity

“The only confirmed behavior is that execution of ‘notepad++.exe’ and subsequently ‘GUP.exe’ preceded the execution of a suspicious process ‘update.exe’ which was downloaded from 95.179.213.0,” security researcher Ivan Feigl said.

“Update.exe” is a Nullsoft Scriptable Install System (NSIS) installer that contains multiple files –

  • An NSIS installation script
  • BluetoothService.exe, a renamed version of Bitdefender Submission Wizard that’s used for DLL side-loading (a technique widely used by Chinese hacking groups)
  • BluetoothService, encrypted shellcode (aka Chrysalis)
  • log.dll, a malicious DLL that’s sideloaded to decrypt and execute the shellcode

Chrysalis is a bespoke,…

Source

More Stories

Are connected electric vehicles safe? The top threats they face

Are connected electric vehicles safe? The top threats they face

Staff Editor 2026-06-06
Cisco Catalyst SD-WAN Manager CVE-2026-20245 Flaw Actively Exploited – No Patch Available

Cisco Catalyst SD-WAN Manager CVE-2026-20245 Flaw Actively Exploited – No Patch Available

Staff Editor 2026-06-06
Three highlights in latest DHS spending bill

Three highlights in latest DHS spending bill

Staff Editor 2026-06-05

Terms and Conditions - Privacy Policy