Between June and December 2025, a state-sponsored threat group known as Lotus Blossom quietly hijacked the official hosting infrastructure used to deliver Notepad++ updates, turning a trusted developer tool into a precision espionage delivery channel.
By compromising the shared hosting provider that previously served the Notepad++ update endpoint, the attackers gained the ability to intercept and redirect update traffic without modifying Notepad++’s source code.
This infrastructure-level access allowed them to selectively tamper with update responses and send malicious installers only to high‑value targets instead of the broader user base.
The attackers abused weaknesses in older versions of the WinGUp updater, which did not strictly verify the certificate and signature of downloaded installers.
When targeted victims attempted to update Notepad++, they were silently redirected to attacker‑controlled servers and received trojanized NSIS installers, often named update.exe, in place of legitimate packages.
These installers initiated multi‑stage infection chains that used DLL sideloading malicious and Lua script execution to deploy advanced payloads while blending in with normal Windows and security software behavior.
Notepad++ Infrastructure
Unit 42 and other researchers describe two primary attack chains in this campaign. In one sequence, a malicious NSIS installer executed a Lua script that downloaded and ran a Cobalt Strike Beacon, providing the operators with flexible post‑exploitation capabilities for lateral movement and data theft.
In a second sequence, the attackers abused a legitimate Bitdefender BluetoothService.exe component via DLL sideloading to load a malicious log.dll library that decrypted and executed a custom backdoor referred to as Chrysalis.
Chrysalis incorporates techniques such as Microsoft Warbird‑style code protection, custom API hashing and stealthy persistence to evade traditional antivirus and behavior‑based detections.
Telemetries from Rapid7 and Unit 42 show that the activity extended beyond the initially reported Southeast Asian government and telecom targets into additional sectors and regions.
Victims included government, telecommunications, cloud hosting, energy, financial services, manufacturing and software development organizations across Southeast Asia, South America, the U.S. and Europe.
Network activity associated with the campaign included staged command‑and‑control traffic and malicious update downloads from attacker infrastructure such as 45.76.155[.]202 and 45.32.144[.]255, with beaconing occurring shortly after delivery of update.exe and continuing over time.
Why Notepad++ users matter
Notepad++ is a lightweight, open‑source text editor widely used by system administrators, network engineers and DevOps teams to edit configuration files, inspect large log datasets and review code on sensitive jump hosts where heavier IDEs are impractical.
Compromising the update path for such a tool effectively lets attackers ride along with privileged users, bypassing many perimeter controls and gaining a foothold deep inside core infrastructure environments.
This campaign reflects a broader strategic shift by state‑aligned actors away from broad infrastructure disruption toward long‑term, low‑profile access focused on administrative keyholders and operational data.
In response, the Notepad++ project has moved its website to a new, more secure hosting provider and hardened its update mechanism.
Version 8.8.9 of Notepad++ introduced enhanced WinGUp logic that verifies both the certificate and the digital signature of downloaded installers, while newer versions sign update XML responses using XMLDSig with stricter validation to be enforced starting in 8.9.2.
Users are strongly advised to install at least version 8.9.1 from the official site manually, ensure updates are retrieved only over trusted channels and review endpoint telemetry for suspicious gup.exe behavior, unexpected update.exe executions or anomalous connections to known campaign infrastructure.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
