The recent Notepad++ infrastructure security breach is to blame on the China-linked hacking group, Lotus Blossom. If users, enterprises, and IT became enamored with this group, called Billgull, Bronze Elgin, or Raspberry Typhoon, it has undermined the update process. They set their sights on the incredibly popular open-source text editor. The end result of the attack allowed Lotus Blossom to push a new backdoor named “Chrysalis” to users. This Trojan horse targeted a diverse set of targets across multiple continents.
The incident began in late September 2025. It pursued the machines owned by the people and entities in Vietnam, El Salvador, Australia, and the Philippines. Those that were impacted included a local government agency, a bank, and an information technology contractor. The attackers leveraged a malicious Notepad++ update—distributed from particular URLs—to infiltrate the software’s legitimate update infrastructure. They took the nasty approach of abusing its proper updater process to launch their expensive payloads.
Details of the Attack
Lotus Blossom’s operation included serving a malicious update through three different URLs. As of late October 2023, these links led to .exe files masquerading as official Notepad++ updates. The specific URLs leveraged in this attack were structured as “95.179.213[.]0/update/update.exe”, “95.179.213[.]0/update/install.exe”, and “95.179.213[.]0/update/AutoUpdater.exe”.
“The only confirmed behavior is that execution of ‘notepad++.exe’ and subsequently ‘GUP.exe’ preceded the execution of a suspicious process ‘update.exe’ which was downloaded from 95.179.213.0,” – Ivan Feigl
Lotus Blossom was the first malware to include multiple variants to improve its effectiveness. Second, this malware is capable of gathering system info and of actually delivering multiple payloads, one of which is a Lua script specifically for executing shellcode. This extreme operation is impressive in both depth and scope, but underscores the group’s talent and versatility in cyber warfare tactics.
Targeted Victims and Geographical Spread
Lotus Blossom’s attack was notable not just for its scale but for its breadth, targeting dozens of victims across six continents. The attackers conducted a coordinated attack across a government organization, financial establishment, and IT service provider. This sharp focus underscores their motivation to gain sensitive data or interrupt activity within these critical industries.
Our telemetry has shown that victims in APAC are being heavily hunted. Moreover, our industry counterparts have validated this region as a primary focus and have further reported occurrences in South America, commented Christiaan Beek, underscoring the global impact of the hacking collective’s actions.
From left to right: Georgy Kucherin and Anton Kargin, photo by Adam McGowan. Between July 2025 and October 2025 attackers are allegedly affected by a constant rotation of command-and-control (C2) server addresses that pushed out malicious updates. This constant evolution made it difficult for defenders to identify and defend against the threat in a meaningful way.
“Over the course of four months, from July to October 2025, attackers who have compromised Notepad++ have been constantly rotating C2 server addresses used for distributing malicious updates, the downloaders used for implant delivery, as well as the final payloads,” – Georgy Kucherin and Anton Kargin
The diversity in infection chains created by Lotus Blossom greatly further increased the complexity of detection efforts. Kaspersky highlighted this challenge, stating that “the variety of infection chains makes detection of the Notepad++ supply chain attack quite a difficult and at the same time creative task.”
Technical Sophistication and Response
Lotus Blossom’s tactics are an impressive representation of this technical evolution’s new capabilities. The team fished out a lot of novel techniques, including the well-known DLL side-loading technique. They looked at new techniques such as multi-layer shellcode loaders and hidden syscalls. This evolution into a more disciplined, resilient tradecraft is reflected by their recent efforts.
“While the group continues to rely on proven techniques like DLL side-loading and service persistence, their multi-layered shellcode loader and integration of undocumented system calls (NtQuerySystemInformation) mark a clear shift toward more resilient and stealth tradecraft,” – Rapid7
The attackers further built on public research to improve their techniques. Back in September, German cybersecurity firm Cirosec released a proof-of-concept (PoC). Lotus Blossom then twisted it further to weaponize Microsoft Warbird for shellcode execution. Rapid7 commented on this adaptation, stating, “What stands out is the mix of tools: the deployment of custom malware (Chrysalis) alongside commodity frameworks like Metasploit and Cobalt Strike.”
Collectively in December 2025, Notepad++ developers released hotfix-solution, version v8.8.9. In light of these recent security breaches, this update particularly patched loopholes in the update mechanism. This patch focused on tightening security measures and avoiding this type of attack in the future.