Lotus Blossom Hackers Compromised Official Hosting Infrastructure of Notepad++

The state-sponsored threat group Lotus Blossom successfully breached the official hosting infrastructure of Notepad++ between June and December 2025, targeting users across government agencies, telecommunications companies and critical infrastructure sectors.

The attackers gained access by compromising the shared hosting provider’s environment, which allowed them to intercept traffic headed to the Notepad++ update server and redirect it to their own malicious infrastructure.

This infrastructure-level hijack enabled selective targeting of victims primarily located in Southeast Asia, though the campaign also extended to South America, the United States and Europe.

Notepad++ serves as a lightweight open-source code editor widely used by system administrators, network engineers and DevOps personnel in enterprise environments.

These professionals commonly rely on the tool to modify server configurations, parse system logs and audit code on secure systems where larger applications are impractical.

Palo Alto Networks analysts identified that compromising this specific tool allowed attackers to bypass perimeter defenses and gain implicit administrative access to core network infrastructure by piggybacking into sessions of privileged users.

The attack exploited insufficient verification controls in older versions of WinGUp, the Notepad++ updater component.

When targeted victims attempted to update their software, they unknowingly downloaded a malicious NSIS installer named update.exe that initiated a complex infection chain.

Unit 42 researchers discovered two distinct attack sequences, including a Lua script injection variant that delivered Cobalt Strike beacon malware and another chain using DLL sideloading techniques to deploy the Chrysalis backdoor.

The malicious installer misused a legitimate Bitdefender component called BluetoothService.exe to load a malicious library, log.dll, which then decrypted and executed the custom backdoor.

Additional activity observed between August and November 2025 showed communication with command-and-control servers at IP addresses 45.76.155[.]202 and 45.77.31[.]210, with attackers shifting between servers to maintain persistent access.

Infection Mechanism

The Chrysalis backdoor employed advanced evasion techniques to avoid detection by security tools.

Attackers utilized the Microsoft Warbird code protection framework and custom API hashing methods to reduce antivirus detection while establishing persistent remote control over infected systems.

In the Lua script injection variant, attackers deployed malicious scripts using the EnumWindowStationsW API to inject shellcode and deliver Cobalt Strike beacon malware.

The campaign targeted cloud hosting, energy, financial, government, manufacturing and software development sectors across multiple continents.

Successful beacons to malicious servers occurred within seconds of downloading the malicious payload, with communication continuing for extended periods.

Notepad++ has since released version 8.9.1 with enhanced security measures, including certificate and signature verification of downloaded installers and XML signing of update server responses.

The developers migrated to a new hosting provider with stronger security practices and plan to enforce stricter verification starting with version 8.9.2.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.