BETWEEN June and December 2025, the official hosting infrastructure for Notepad++ was compromised by a state-sponsored threat group known as Lotus Blossom, according to Unit 42. The attackers redirected update traffic to attacker-controlled servers, enabling targeted delivery of malicious update manifests to victims in Southeast Asia across government, telecommunications and critical infrastructure sectors.
The campaign involved two infection chains, including a Lua script that delivered Cobalt Strike beacon and DLL sideloading to deploy the Chrysalis backdoor, with additional activity in South America, the U.S., Europe and Southeast Asia. Notepad++’s update mechanism was exploited through older WinGUp versions and a malicious NSIS installer, and units observed C2 communications to IPs such as 45.76.155[.]202 and 45.77.31[.]210 during August to November 2025.
The researchers also noted a Bluetooth DLL sideloading variant and a Lua-based variant, and highlighted that the operation aimed for long-term intelligence rather than disruption. Notepad++ has since migrated to a new hosting provider with stronger security practices, and the report lists product protections across Advanced URL Filtering, Advanced DNS Security, Advanced WildFire, Cortex XDR and related solutions.