NOTEPAD ++ was compromised in a supply-chain operation attributed to the Chinese state‑sponsored threat group Lotus Blossom, which Rapid7 Labs and the Rapid7 MDR team describe in a new analysis as deploying a custom backdoor named Chrysalis and abusing an obscure Microsoft code protection framework to hide its tracks. The campaign targets Southeast Asia and Central America, with the attack chain beginning by compromising the infrastructure hosting the Notepad++ updater, researchers say.
According to Rapid7, forensic evidence led to uncover several custom loaders in the wild stemming from this compromise, including a loader named ConsoleApplication2[.]exe that uses Microsoft Warbird to cloak the malicious shellcode. The Chrysalis backdoor is paired with toolsets like Cobalt Strike and Metasploit, creating a noisy footprint designed to evade modern detection.
One notable fingerprint cited by Rapid7 is the DLL side-loading technique involving a renamed Bitdefender Submission Wizard to load log[.]dll for decrypting and executing an additional payload. The researchers state the campaign shows Lotus Blossom’s evolving capabilities, with moderate confidence attributed to the attribution based on overlaps with prior attacks. 5 February 2026.