The simple act of updating a trusted software application, a routine task for millions of developers and system administrators, became the entry point for a sophisticated state-sponsored cyberespionage campaign that unfolded over six months. Between June and December 2025, the threat group known as Lotus Blossom executed a meticulously planned supply-chain attack, compromising the official hosting infrastructure of the widely used open-source code editor, Notepad++. This was not a random assault; it was a targeted operation aimed at high-value users within government agencies, telecommunications firms, and critical infrastructure sectors. The campaign’s geographical focus was primarily on Southeast Asia, but its reach extended across the globe, with victims identified in South America, the United States, and Europe. By subverting the very mechanism designed to keep software secure, the attackers turned a routine security practice into a powerful tool for infiltration, demonstrating the profound risks inherent in modern software supply chains and the lengths to which determined adversaries will go to compromise strategic targets.
Anatomy of the Infrastructure Breach
The Hijacked Hosting Environment
The foundation of this attack was not an exploit within the Notepad++ application itself, but a more insidious infrastructure-level hijack. The attackers successfully compromised the shared hosting provider used by Notepad++, gaining control over the digital environment that served software updates to its vast user base. This privileged position allowed them to intercept and selectively redirect network traffic intended for the official update server. Instead of receiving legitimate updates, targeted users were funneled to malicious infrastructure controlled by the Lotus Blossom group. From there, compromised update packages were delivered, initiating the infection. The effectiveness of this strategy was magnified by the specific user profile of Notepad++. The software is a staple for system administrators, network engineers, and DevOps personnel—individuals who often possess elevated permissions and manage sensitive systems. By compromising these privileged users, the attackers found a direct path to bypass robust perimeter defenses and gain implicit administrative access to the core assets of targeted organizations, turning a simple text editor into a Trojan horse.
A Strategic Focus on Privileged Access
The decision to target Notepad++ was a calculated move designed to maximize impact by leveraging the trust and access levels of its user base. By focusing on IT professionals who regularly use the tool to manage servers, configure networks, and write scripts, the attackers aimed to achieve what is often the most difficult goal in cyber operations: establishing a persistent and privileged foothold inside a secure network. A compromised administrator’s machine is far more valuable than that of a typical employee, as it provides a launchpad for lateral movement, data exfiltration, and deeper system control. This approach circumvents many standard security controls, such as firewalls and intrusion detection systems, which are designed to block external threats. Once the malicious update was installed on an administrator’s workstation, the attackers were effectively “inside the wire,” operating with the credentials and trust associated with a legitimate user. This method underscores a significant shift in attack strategies, where the focus moves from breaching the perimeter to subverting trusted internal processes and personnel to achieve mission objectives with greater stealth and efficiency.
Unraveling the Intricate Infection Chains
The DLL Sideloading Variant
Analysis of the attack revealed two distinct and highly sophisticated infection chains, both originating from a malicious NSIS installer cleverly named update.exe. This installer exploited insufficient verification controls present in older versions of WinGUp, the updater component used by Notepad++. The first variant employed a classic yet effective DLL sideloading technique. The malicious package included a legitimate, signed executable from Bitdefender, BluetoothService.exe, which was vulnerable to this type of abuse. When executed, this legitimate program was tricked into loading a malicious library named log.dll that had been placed in the same directory. This malicious DLL acted as the initial loader, responsible for decrypting and executing the final payload: the Chrysalis backdoor. This backdoor was engineered for stealth, incorporating advanced evasion methods to avoid detection by security software. It utilized the Microsoft Warbird code protection framework to obfuscate its structure and employed custom API hashing, a technique that prevents security tools from easily identifying the malicious functions it calls, making forensic analysis significantly more challenging.
The Lua Script Injection Method
The second attack vector demonstrated the group’s versatility, leveraging a different method to achieve the same goal of deploying malware onto a target system. This variant utilized a Lua script injection technique, again delivered through the compromised update.exe installer. Instead of sideloading a DLL, this chain used the legitimate EnumWindowStationsW Application Programming Interface (API) to inject shellcode directly into a running process’s memory. This fileless injection technique is particularly evasive, as it minimizes the digital footprint on the infected machine, leaving fewer artifacts for investigators to find. Once the shellcode was successfully injected, it acted as a downloader to fetch and execute the final payload, which in this case was the well-known Cobalt Strike beacon. Cobalt Strike is a powerful penetration testing tool often co-opted by threat actors for its extensive capabilities in post-exploitation activities. Throughout the campaign, the attackers maintained operational flexibility by rotating their command-and-control (C2) infrastructure between two primary IP addresses, 45.76.155[.]202 and 45.77.31[.]210, ensuring their malware could maintain contact even if one server was taken offline.
Fortifying the Update Process
In response to the discovery of this sophisticated supply-chain compromise, the developers of Notepad++ took decisive action to secure their distribution channel and protect their user base from future threats. The release of Notepad++ version 8.9.1 introduced critical security enhancements designed to thwart the techniques used by the attackers. These improvements included the enforcement of mandatory certificate and signature verification for all downloaded installers, ensuring that any update package is authenticated and has not been tampered with. Additionally, XML signing was implemented for the update server’s responses, providing a cryptographic guarantee of their integrity and preventing man-in-the-middle manipulations. Beyond software-level fixes, the project also migrated its entire infrastructure to a new, more secure hosting provider to eliminate the foundational vulnerability that enabled the initial breach. These immediate remedies were part of a broader security overhaul, with plans announced for even stricter verification protocols to be implemented in the subsequent version, 8.9.2, signaling a long-term commitment to hardening the software supply chain against advanced persistent threats.
