{"id":209614,"date":"2026-02-02T15:50:00","date_gmt":"2026-02-02T20:50:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/02\/02\/china-based-espionage-group-compromised-notepad-for-six-months\/"},"modified":"2026-02-03T14:05:12","modified_gmt":"2026-02-03T19:05:12","slug":"china-based-espionage-group-compromised-notepad-for-six-months","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/02\/02\/china-based-espionage-group-compromised-notepad-for-six-months\/","title":{"rendered":"China-based espionage group compromised Notepad++ for six months"},"content":{"rendered":"<p><a href=\"https:\/\/cyberscoop.com\/china-espionage-group-lotus-blossom-attacks-notepad\/\">China-based espionage group compromised Notepad++ for six months<\/a><\/p>\n<p><a href=\"https:\/\/cyberscoop.com\/china-espionage-group-lotus-blossom-attacks-notepad\/\">https:\/\/cyberscoop.com\/china-espionage-group-lotus-blossom-attacks-notepad\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-02-02 15:50:00<\/a><\/p>\n<p>Source Domain: <a href=\"cyberscoop.com\">cyberscoop.com<\/a><\/p>\n<p>A China-based threat group operating for almost two decades broke into the internal systems of Notepad++, an extremely popular open source-code editor, to spy on a select group of targeted users, researchers at Rapid7 said Monday.<\/p>\n<p>Don Ho, the author and maintainer of the open-source tool, said independent security researchers confirmed a China state-sponsored group compromised Notepad++\u2019s server for a six-month period starting in June 2025. Ho, who did not respond to a request for comment, released a software update Dec. 9 claiming to address authentication weaknesses that allowed attackers to hijack the Notepad++ updater client and user traffic.<\/p>\n<p>The Chinese APT group Lotus Blossom, which has been active since at least 2009, gained recurring access and deployed various payloads \u2014 including a custom backdoor \u2014 to snoop on some users\u2019 activities, according to Rapid7. The espionage group is also known as Billbug, Thrip and Raspberry Typhoon.\u00a0<\/p>\n<p>\u201cWe have no evidence of bulk data exfiltration,\u201d Christiaan Beek, senior director of threat intelligence and analytics at Rapid7, told CyberScoop. \u201cThe tooling observed is consistent with post-compromise reconnaissance, command execution, and selective data access, rather than broad data harvesting.\u201d<\/p>\n<p>The attacks, which showcased resilience and stealth tradecraft, did not result in a mass compromise of all Notepad++ users, but rather a limited number of affected environments, according to Rapid7.<\/p>\n<p>\u201cPost-compromise behavior included system profiling, persistence mechanisms, and remote command execution consistent with long-term espionage access rather than immediate disruption or monetization,\u201d Beek added. \u201cThe objective appears aligned with strategic intelligence collection, consistent with Lotus Blossom\u2019s historical operations.\u201d<\/p>\n<p>The former hosting provider for Notepad++ said the attackers lost access to the tool\u2019s server on Sept. 2, but maintained legitimate credentials&#8230;<\/p>\n<p><a href=\"https:\/\/cyberscoop.com\/china-espionage-group-lotus-blossom-attacks-notepad\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>China-based espionage group compromised Notepad++ for six months https:\/\/cyberscoop.com\/china-espionage-group-lotus-blossom-attacks-notepad\/ Publish Date: 2026-02-02 15:50:00 Source Domain:&#8230;<\/p>\n","protected":false},"author":1,"featured_media":209615,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2025\/08\/GettyImages-2204258854-1.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[],"class_list":["post-209614","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/209614"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=209614"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/209614\/revisions"}],"predecessor-version":[{"id":209616,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/209614\/revisions\/209616"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/209615"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=209614"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=209614"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=209614"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}