Notepad++ hijacking blamed on Chinese Lotus Blossom crew behind Chrysalis backdoor
Summary
Security researchers attribute a targeted hijack of Notepad++’s update infrastructure to a Chinese state-linked espionage group known as Lotus Blossom (aka Lotus Panda, Billbug). The attackers redirected some update traffic from a compromised shared hosting server to an attacker-controlled site, tricking select victims into installing a trojanised Notepad++ update that delivered a newly discovered backdoor named Chrysalis.
Rapid7’s MDR team linked the campaign to Lotus Blossom with “moderate confidence” based on execution-chain similarities to prior activity documented by Symantec. The Chrysalis implant is delivered via an NSIS installer that abuses a renamed Bitdefender Submission Wizard (presented as “BluetoothService.exe”) for DLL sideloading, and includes an encrypted shellcode payload and malicious DLL. Chrysalis shows multiple obfuscation layers, custom API hashing and structured C2, suggesting a persistent, sophisticated espionage tool rather than a throwaway toy.
Key Points
- Notepad++ update infrastructure was abused to selectively serve a poisoned update from an attacker-controlled site.
- Rapid7 attributes the campaign with moderate confidence to the Lotus Blossom APT, a group that targets governments, telecoms, aviation, critical infrastructure and media.
- The delivered malware, Chrysalis, is a previously unknown backdoor with encrypted shellcode, DLL sideloading and structured C2, indicating a permanent espionage capability.
- Attackers used an NSIS installer and a renamed Bitdefender Submission Wizard (BluetoothService.exe) to sideload a malicious DLL — a tactic seen before in China-linked campaigns.
- Rapid7 has published file and network indicators of compromise; the number of victims remains unclear at press time.
Content summary
The incident began when the Notepad++ project author noticed suspicious behaviour in the update process: some update requests were being redirected to an attacker-controlled host serving a trojanised NSIS installer. That installer contained a renamed legitimate binary used to sideload a malicious DLL and an encrypted payload which unpacks into the Chrysalis backdoor. Chrysalis employs API-hashing, obfuscation and deliberate use of legitimate binaries to evade simple detections. Attribution rests on technical overlaps with prior Lotus Blossom tooling and execution chains analysed by Symantec and others.
Context and relevance
Supply-chain and update-server compromises remain a favoured vector for espionage groups because they provide high-value access with minimal noisy reconnaissance. Lotus Blossom’s targeting profile — telecoms, critical infrastructure and government — makes this relevant for any organisation in those sectors, but the tactics used (NSIS installers, DLL sideloading, encrypted shellcode) are applicable across many environments. Indicators published by Rapid7 should be consumed by defensive teams and applied to detection rules and incident response playbooks.
Why should I read this?
Short version: if you run Notepad++ at work, or you care about software update supply-chain nastiness, this is worth a quick read. We’ve cut the waffle — attackers hijacked updates to drop a stealthy backdoor, and the researchers have IOCs you can use right away. Patch your detection rules, check update logs and treat update infrastructure like crown-jewel infrastructure — because it is.
Source
Article date: 2026-02-02T23:23:18+00:00