A China-based threat group operating for almost two decades broke into the internal systems of Notepad++, an extremely popular open source-code editor, to spy on a select group of targeted users, researchers at Rapid7 said Monday.
Don Ho, the author and maintainer of the open-source tool, said independent security researchers confirmed a China state-sponsored group compromised Notepad++’s server for a six-month period starting in June 2025. Ho, who did not respond to a request for comment, released a software update Dec. 9 claiming to address authentication weaknesses that allowed attackers to hijack the Notepad++ updater client and user traffic.
The Chinese APT group Lotus Blossom, which has been active since at least 2009, gained recurring access and deployed various payloads — including a custom backdoor — to snoop on some users’ activities, according to Rapid7. The espionage group is also known as Billbug, Thrip and Raspberry Typhoon.
“We have no evidence of bulk data exfiltration,” Christiaan Beek, senior director of threat intelligence and analytics at Rapid7, told CyberScoop. “The tooling observed is consistent with post-compromise reconnaissance, command execution, and selective data access, rather than broad data harvesting.”
The attacks, which showcased resilience and stealth tradecraft, did not result in a mass compromise of all Notepad++ users, but rather a limited number of affected environments, according to Rapid7.
“Post-compromise behavior included system profiling, persistence mechanisms, and remote command execution consistent with long-term espionage access rather than immediate disruption or monetization,” Beek added. “The objective appears aligned with strategic intelligence collection, consistent with Lotus Blossom’s historical operations.”
The former hosting provider for Notepad++ said the attackers lost access to the tool’s server on Sept. 2, but maintained legitimate credentials to internal services until Dec. 2, which allowed the attackers to redirect Notepad++ update traffic to malicious servers, Ho said in a blog post.
Ho did not say when or how they first became aware of unauthorized access to Notepad++’s systems. The website, which attackers targeted to exploit “insufficient update verification controls that existed in older versions of Notepad++,” was moved to a new hosting provider with stronger security practices, Ho said in the blog post.
Beek confirmed that Lotus Blossom’s unauthorized access appears to have been disrupted, noting that its known infrastructure linked to the months-long campaign is no longer active. Some security researchers started surfacing reports of incidents linked to Notepad++ in November.
While Notepad++’s internal system improvements appear to have halted the malicious activity, users running older versions of the software should still update as a precaution, Beek said. “We are not seeing ongoing active exploitation tied to this campaign.”
Lotus Blossom targeted software that provided potential access to many sensitive targets. The Windows-based tool, which was first released in 2003 and typically used as an alternative to Windows Notepad, is widely used by developers, IT administrators, engineers and analysts, including some working in government, telecom, critical infrastructure and media, Beek said.
Many security researchers, analysts and users have taken their concerns to social media to warn about the potential risk of the long-term intrusion and share worries about the ultimate impact of the campaign.
“Observed activity suggests selective, targeted follow-on exploitation,” Beek added, “not opportunistic mass infection.”