Trusted Tool Weaponized: Lotus Blossom Hijacks Notepad++ Updates

A new report from Unit 42 has exposed a highly targeted supply chain attack that turned one of the IT world’s most trusted tools into a weapon. Between June and December 2025, a state-sponsored threat group known as Lotus Blossom compromised the official hosting infrastructure of Notepad++, using it to deliver malicious updates to select victims in Southeast Asia and beyond.

Unlike traditional supply chain attacks that inject malicious code directly into the software build (like SolarWinds), Lotus Blossom took a different route. They breached the shared hosting provider for Notepad++ and hijacked the update traffic.

“Hijacking the traffic flow of a trusted utility rather than injecting code into the software build pipeline allowed the threat actors to weaponize their delivery mechanism without alerting the vendor,” the report explains.

This “Adversary-in-the-Middle (AitM)” capability allowed the attackers to be incredibly selective. Instead of infecting every Notepad++ user, they dynamically fingerprinted incoming requests, serving malicious payloads only to priority targets while letting everyone else download the legitimate software.

The choice of Notepad++ was calculated. The tool is a staple for DevOps personnel, network engineers, and system administrators—users who often have high-level privileges and access to critical infrastructure.

“Compromising this single tool allows attackers to effectively bypass perimeter defenses and piggyback into the sessions of the most privileged users in the organization,” Unit 42 researchers noted.

The victims were primarily located in Southeast Asia, spanning government, telecommunications, and critical infrastructure sectors. However, the campaign also touched targets in South America, the U.S., and Europe.

Once a target was selected, the hijacked updater delivered a malicious installer that launched one of two infection chains:

• DLL Side-Loading: The installer misused a legitimate Bitdefender component to side-load a malicious library (log.dll), which then decrypted and executed a custom backdoor named Chrysalis.
• Lua Script Injection: Attackers used an installer to run a malicious Lua script, which ultimately delivered a Cobalt Strike Beacon payload.

The Chrysalis backdoor was designed for stealth, employing “custom API hashing to reduce antivirus detection” and the “Microsoft Warbird code protection framework” to evade analysis.

The report highlights this campaign as a notable evolution in tradecraft. While groups like Volt Typhoon have focused on edge devices, Lotus Blossom is zeroing in on administrative keyholders.

“This campaign is not focused on disruption, but on long-term valuable intelligence,” the report concludes. “This is illustrated by the combination of the threat actor’s selective victimology… and their choice to use a lightweight backdoor with a low-profile”.

Notepad++ has since migrated to a more secure hosting provider and enhanced its updater to enforce stricter signature verification. Users are urged to manually update to version 8.9.1 or higher immediately.

Related Posts:

• Lotus Blossom Hackers Target Southeast Asia with Sagerunex Backdoor
• Notepad Goes Private: Microsoft Adds On-Device AI
• Notepad++ Hijacked: State-Sponsored Actors Poisoned Updates for Months
• Popular Chinese Text Editors Compromised in Targeted Attack