A recently discovered compromise of the infrastructure hosting Notepad++ is believed with medium confidence to be the work of a China-affiliated actor known as Lotus Blossom.
The attack allowed a state-sponsored hacker group to distribute a previously undocumented backdoor codenamed “Chrysalis” to users of the open-source editor, according to new findings from Rapid7.
This development comes shortly after Notepad++ administrator Don Ho said that a breach at the hosting provider level allowed attackers to hijack update traffic starting in June 2025 and exploit poor update validation controls that existed in older versions of the utility to selectively redirect requests from certain users to malicious servers and serve tampered updates.
This vulnerability was resolved with the release of version 8.8.9 in December 2025. It was subsequently discovered that the software’s hosting provider had been compromised, allowing targeted traffic redirection to take place until the attacker’s access was terminated on December 2, 2025. Notepad++ has since moved to a new hosting provider with improved security and rotated all credentials.
Rapid7’s analysis of this incident found no evidence or artifacts to suggest that Updater-related mechanisms were exploited to distribute malware.
“The only behavior observed was the execution of ‘notepad++.exe’ followed by ‘GUP.exe’ prior to the execution of the suspicious process ‘update.exe’ downloaded from 95.179.213.0,” security researcher Ivan Feigl said.
“Update.exe” is a Nullsoft Scriptable Install System (NSIS) installer that contains multiple files.
NSIS installation script BluetoothService.exe, a renamed version of the Bitdefender Submission Wizard used for DLL sideloading (a technique widely used by Chinese hacker groups) BluetoothService, encrypted shellcode (aka Chrysalis) log.dll, a malicious DLL that is sideloaded to decrypt and execute the shellcode
Chrysalis is a custom-built, feature-rich implant that collects system information and connects to external servers (“api.skycloudcenter”).[.]com”) may receive additional commands to execute on the infected host.
The command and control (C2) server is currently offline. However, closer inspection of the obfuscated artifact reveals that it can process incoming HTTP responses to spawn an interactive shell, create processes, perform file operations, upload/download files, and uninstall itself.
“Overall, this sample appears to be one that has been actively developed over time,” Rapid7 said, adding that it also identified a file named “conf.c” that was designed to retrieve Cobalt Strike beacons by a custom loader that embedded Metasploit block API shellcode.
One such loader, ‘ConsoleApplication2.exe’, is notable for using Microsoft Warbird, an undocumented internal code protection and obfuscation framework, to execute shellcode. The attackers were found to have copied and modified an existing proof of concept (PoC) published by German cybersecurity company Cirosec in September 2024.
Rapid7 attributed Chrysalis to Lotus Blossom (also known as Billbug, Bronze Elgin, Lotus Blossom, Raspberry Typhoon, Spring Dragon, and Thrip). This is based on similarities to previous campaigns conducted by this threat actor. This includes a campaign documented by Broadcom-owned Symantec in April 2025 that used legitimate Trend Micro and Bitdefender executables to sideload malicious DLLs.
“While the group continues to rely on proven techniques such as DLL sideloading and service persistence, its multi-layered shellcode loader and integration of an undocumented system call (NtQuerySystemInformation) signals a clear shift towards more resilient and stealth tradecraft,” the company said.
“What stands out is the combination of tools: deploying custom malware (Chrysalis) alongside commodity frameworks like Metasploit and Cobalt Strike, and quickly adapting public research (particularly the Microsoft Warbird exploit). This shows Billbug is actively updating its playbook to stay ahead of the latest detections.”
Source link
