China-Linked Hacking Group Breaches Notepad++ Hosting, Delivers Backdoor
A state-sponsored hacking group, linked to China, has been identified as the culprit behind a recent breach of the infrastructure hosting Notepad++, an open-source text editor. This group, known as Lotus Blossom, has been attributed with medium confidence for the compromise. According to new findings from Rapid7, the attack allowed the group to deliver a previously undocumented backdoor, codenamed Chrysalis, to users of the editor.
The breach occurred due to a compromise at the hosting provider level, which enabled threat actors to hijack update traffic starting in June 2025. This allowed them to selectively redirect update requests from certain users to malicious servers, serving tampered updates. The weakness was addressed in December 2025 with the release of version 8.8.9, which included stronger security measures. Notepad++ has since migrated to a new hosting provider and rotated all credentials.
Rapid7's analysis revealed that the updater-related mechanism was not exploited to distribute malware. The only confirmed behavior was the execution of 'notepad++.exe' and 'GUP.exe', followed by a suspicious process 'update.exe' downloaded from a specific IP address. 'Update.exe' is an NSIS installer containing multiple files, including an NSIS script, a renamed version of Bitdefender's Submission Wizard, encrypted shellcode, and a malicious DLL.
Chrysalis is a feature-rich implant that gathers system information and contacts an external server to receive additional commands. The command-and-control server is currently offline, but the artifact is capable of processing HTTP responses to perform various actions, such as spawning an interactive shell and uninstalling itself. Rapid7 identified a file named 'conf.c' designed to retrieve a Cobalt Strike beacon using a custom loader and Metasploit shellcode.
The group's use of proven techniques like DLL side-loading and service persistence, along with their multi-layered shellcode loader and integration of undocumented system calls, marks a shift towards more resilient and stealthy tradecraft. The mix of tools, including custom malware and public research, demonstrates the group's proactive approach to staying ahead of modern detection methods.
For more exclusive content, follow The Hacker News on Google News, Twitter, and LinkedIn.
