{"id":209360,"date":"2026-02-02T18:23:00","date_gmt":"2026-02-02T23:23:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/02\/02\/notepad-hijacking-linked-to-chinese-lotus-blossom-crew-the-register\/"},"modified":"2026-02-02T21:45:12","modified_gmt":"2026-02-03T02:45:12","slug":"notepad-hijacking-linked-to-chinese-lotus-blossom-crew-the-register","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/02\/02\/notepad-hijacking-linked-to-chinese-lotus-blossom-crew-the-register\/","title":{"rendered":"Notepad++ hijacking linked to Chinese Lotus Blossom crew \u2022 The Register"},"content":{"rendered":"<p><a href=\"https:\/\/www.theregister.com\/2026\/02\/02\/notepad_hijacking_lotus_blossom\/\">Notepad++ hijacking linked to Chinese Lotus Blossom crew \u2022 The Register<\/a><\/p>\n<p><a href=\"https:\/\/www.theregister.com\/2026\/02\/02\/notepad_hijacking_lotus_blossom\/\">https:\/\/www.theregister.com\/2026\/02\/02\/notepad_hijacking_lotus_blossom\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-02-02 18:23:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.theregister.com\">www.theregister.com<\/a><\/p>\n<p>Security researchers have attributed the Notepad++ update hijacking to a Chinese government-linked espionage crew called Lotus Blossom (aka Lotus Panda, Billbug), which abused weaknesses in the update infrastructure to gain a foothold in high-value targets by delivering a newly identified backdoor dubbed Chrysalis.<\/p>\n<p>Early Monday, the text editor&#8217;s project author said a suspected Chinese state-sponsored group somehow compromised a shared hosting server and selectively redirected some update traffic to an attacker-controlled site where victims downloaded a poisoned version of what appeared to be a legit software update.<\/p>\n<p>Later on Monday, Rapid7&#8217;s managed detection and response team attributed the attack &#8220;with moderate confidence&#8221; to the Chinese advanced persistent threat (APT) group they call Lotus Blossom.\u00a0<\/p>\n<p>This group typically conducts targeted cyber-espionage campaigns against organizations in Southeast Asia &#8211; and more recently Central America &#8211; with a focus on government, telecom, aviation, critical infrastructure, and media sectors.<\/p>\n<p>According to the threat hunters, the espionage crew used the hijacked Notepad++ update to deliver a previously unknown backdoor called Chrysalis.<\/p>\n<p>Notepad++ author Don Ho did not immediately respond to The Register&#8217;s inquiries about Rapid7&#8217;s attribution and malware analysis. We will update this story if we hear back.<\/p>\n<p>While it&#8217;s still unclear exactly how the miscreants gained initial access to Notepad++&#8217;s distribution infrastructure, once inside they abused that access to deliver a trojanized update in the form of an NSIS installer, a packaging format commonly abused by Chinese APT groups to deliver initial payloads.<\/p>\n<p>The installer contained an executable file named\u00a0&#8220;BluetoothService.exe,&#8221; which is a renamed legitimate Bitdefender Submission Wizard abused for DLL sideloading &#8211; another&#8230;<\/p>\n<p><a href=\"https:\/\/www.theregister.com\/2026\/02\/02\/notepad_hijacking_lotus_blossom\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Notepad++ hijacking linked to Chinese Lotus Blossom crew \u2022 The Register https:\/\/www.theregister.com\/2026\/02\/02\/notepad_hijacking_lotus_blossom\/ Publish Date: 2026-02-02&#8230;<\/p>\n","protected":false},"author":1,"featured_media":209361,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/regmedia.co.uk\/2026\/02\/02\/ugly_chrysalis.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[32],"class_list":["post-209360","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-malware"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/209360"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=209360"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/209360\/revisions"}],"predecessor-version":[{"id":209362,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/209360\/revisions\/209362"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/209361"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=209360"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=209360"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=209360"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}