Trending:
Cybersecurity

Notepad++ breach: Chinese state hackers ran six-month supply chain op

Lotus Blossom spent half of 2025 intercepting update traffic to deploy custom backdoors in telecoms and finance targets across East Asia. The attack compromised hosting infrastructure, not code - a pattern enterprise security teams should note.

TheBiggish Editorial ·

What happened

Notepad++ confirmed a six-month compromise of its update infrastructure between June and December 2025. Rapid7 attributes the attack to Lotus Blossom (also tracked as Billbug, Thrip, Raspberry Typhoon), a Chinese state-sponsored group active since 2009.

The attackers didn't exploit the software itself. They breached a shared hosting provider and selectively redirected update traffic for specific targets - primarily telecoms and financial institutions with East Asia interests - to malicious servers. Those users downloaded what appeared to be legitimate updates but received a custom backdoor called Chrysalis instead.

Developer Don Ho disclosed the breach on February 2, noting attackers retained credentials even after a server wipe in September until the final cleanup in early December. The exact entry vector remains under investigation.

Why it matters

This is a supply chain attack via infrastructure compromise, not a vulnerability in the application. The pattern echoes SolarWinds: patient actors, narrow targeting, long dwell time. Millions use Notepad++, but the campaign infected selectively - profiling victims before deployment.

Lotus Blossom deployed sophisticated tradecraft. The malicious update used NSIS installers (common among Chinese APT groups) and DLL sideloading via a legitimate Bitdefender binary. Chrysalis includes custom API hashing, multiple obfuscation layers, and structured command-and-control communication - hallmarks of a permanent toolkit, not throwaway malware.

For enterprise security teams, this reinforces that update mechanisms are high-value targets. Attackers will compromise the delivery infrastructure when they can't crack the code. The hosting provider breach gave them six months of selective access.

What's next

Notepad++ has migrated hosting providers and hardened update processes. Users should update immediately. Post-compromise infrastructure is offline, and no ongoing exploitation has been reported.

Attribution is consistent across sources - Rapid7, independent researchers, and Ho all point to Chinese state sponsorship. The exact entry point is still under analysis, which matters for determining if this was opportunistic or planned.

The real question is scope. How many users were profiled versus infected? Lotus Blossom's historical focus on long-term intelligence collection suggests the victim count was deliberately kept small to avoid detection. That worked - the campaign ran for six months before discovery.

Tags:
cybersecurity china enterprise-security open-source supply-chain

Related Articles