Rapid7 researchers have attributed a sophisticated supply chain attack targeting Notepad++ users to Lotus Blossom, a Chinese state-sponsored threat group active since 2009. The attackers compromised the popular text editor's hosting provider infrastructure, allowing them to hijack update traffic and deliver malicious payloads to selected victims from June through December 2025.

The China-linked APT group, also tracked as Billbug, Bronze Elgin, and Raspberry Typhoon, exploited insufficient update verification controls in older Notepad++ versions to selectively redirect update requests to malicious servers. Kaspersky telemetry revealed approximately a dozen infected machines across Vietnam, El Salvador, Australia, and the Philippines, with targets including a Philippine government organization, an El Salvadoran financial institution, and a Vietnamese IT service provider.

Rapid7 analysis uncovered a previously undocumented backdoor named Chrysalis delivered through the compromised update mechanism. The malware was deployed via an NSIS installer that sideloaded a malicious DLL through a renamed Bitdefender Submission Wizard executable. Researchers described Chrysalis as a sophisticated and feature-rich implant with 16 distinct command capabilities, including interactive shell access, file operations, process creation, and complete self-removal functionality.

The threat actors demonstrated operational sophistication by constantly rotating command and control infrastructure between July and October 2025. Identified C2 servers included api.skycloudcenter.com and api.wiresguard.com, with IP addresses traced to Malaysia and China. Later attack variants incorporated Metasploit downloaders and Cobalt Strike beacons for enhanced post-exploitation capabilities.

Notepad++ maintainer Don Ho disclosed the breach on February 2, 2026, confirming that attacker access was terminated on December 2, 2025. The vulnerability was addressed in version 8.8.9, which implements hardened update verification requiring both certificate and signature validation. The project has also migrated to a new hosting provider with stronger security practices. Users running older versions are strongly urged to update immediately.