Notepad++ hijacking blamed on Chinese Lotus Blossom crew behind Chrysalis backdoor
(2026/02/03)
- Reference: 1770074598
- News link: https://www.theregister.co.uk/2026/02/02/notepad_hijacking_lotus_blossom/
- Source link:
Security researchers have attributed the Notepad++ update hijacking to a Chinese government-linked espionage crew called Lotus Blossom (aka Lotus Panda, Billbug), which abused weaknesses in the update infrastructure to gain a foothold in high-value targets by delivering a newly identified backdoor dubbed Chrysalis.
Early Monday, the text editor's project author [1]said a suspected Chinese state-sponsored group somehow compromised a shared hosting server and selectively redirected some update traffic to an attacker-controlled site where victims downloaded a poisoned version of what appeared to be a legit software update.
Later on Monday, Rapid7's managed detection and response team [2]attributed the attack "with moderate confidence" to the Chinese advanced persistent threat (APT) group they call Lotus Blossom.
[3]
This group typically conducts targeted cyber-espionage campaigns against organizations in Southeast Asia - and more recently Central America - with a focus on government, telecom, aviation, critical infrastructure, and media sectors.
[4]
[5]
According to the threat hunters, the espionage crew used the hijacked Notepad++ update to deliver a previously unknown backdoor called Chrysalis.
Notepad++ author Don Ho did not immediately respond to The Register 's inquiries about Rapid7's attribution and malware analysis. We will update this story if we hear back.
[6]
While it's still unclear exactly how the miscreants gained initial access to Notepad++'s distribution infrastructure, once inside they abused that access to deliver a trojanized update in the form of an NSIS installer, a packaging format commonly abused by [7]Chinese APT groups to deliver initial payloads.
The installer contained an executable file named "BluetoothService.exe," which is a renamed legitimate Bitdefender Submission Wizard abused for DLL sideloading - another [8]favorite technique among Beijing-backed spies to deliver custom implants. It also included a file called "BluetoothService" that is actually an encrypted shellcode, and a malicious DLL sideloaded by BluetoothService.exe.
The shellcode here is the Chrysalis backdoor, and according to Rapid7, "its wide array of capabilities indicates it is a sophisticated and permanent tool, not a simple throwaway utility."
[9]
It uses legitimate binaries to sideload a malicious DLL with a generic name to make sure it's not discovered by simple filename-based detection tools. It also uses custom API hashing in both the loader and the main module, along with multiple layers of obfuscation to further cover its tracks, as well as "a fairly structured approach to C2 communication," the researchers wrote.
[10]Notepad++ update service hijacked in targeted state-linked attack
[11]Chinese spies used Maduro's capture as a lure to phish US govt agencies
[12]China-linked group accused of spying on phones of UK prime ministers' aides – for years
[13]China, Iran are having a field day with React2Shell, Google warns
As of press time, Rapid7 didn't have visibility into how many victims inadvertently downloaded the Chrysalis malware - but we will update this story if we learn more. The security sleuths did, however, publish a full list of file and network indicators of compromise, so be sure to [14]give that a read .
They note the attribution is primarily based on similarities between the initial loader use and previous research from [15]Symantec , including the goon squad using a renamed Bitdefender Submission Wizard to sideload a file called "log.dll" for decrypting and executing an additional payload.
"In addition, similarities of the execution chain of 'conf.c' retrieved from the infected asset and other loaders that we found, supported by the same public key extracted from [Cobalt Strike] beacons delivered through 'conf.c' and 'ConsoleApplication2.exe' suggest with moderate confidence that the threat actor behind this campaign is likely Lotus Blossom," the Rapid7 team wrote. ®
Get our [16]Tech Resources
[1] https://www.theregister.com/2026/02/02/notepad_plusplus_intrusion/
[2] https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aYGA9AQAU4P7GIN-xSCKIAAAAU8&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aYGA9AQAU4P7GIN-xSCKIAAAAU8&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aYGA9AQAU4P7GIN-xSCKIAAAAU8&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aYGA9AQAU4P7GIN-xSCKIAAAAU8&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://www.rapid7.com/blog/post/2025/05/22/nsis-abuse-and-srdi-shellcode-anatomy-of-the-winos-4-0-campaign/
[8] https://www.theregister.com/2026/01/15/chinese_spies_used_maduros_capture/
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aYGA9AQAU4P7GIN-xSCKIAAAAU8&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[10] https://www.theregister.com/2026/02/02/notepad_plusplus_intrusion/
[11] https://www.theregister.com/2026/01/15/chinese_spies_used_maduros_capture/
[12] https://www.theregister.com/2026/01/27/chinalinked_hackers_accused_of_yearslong/
[13] https://www.theregister.com/2025/12/15/react2shell_flaw_china_iran/
[14] https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
[15] https://sed-cms.broadcom.com/system/files/threat-hunter-whitepaper/2025-04/2025_04_ChinaLinked_Espionage_Actors.pdf
[16] https://whitepapers.theregister.com/
Early Monday, the text editor's project author [1]said a suspected Chinese state-sponsored group somehow compromised a shared hosting server and selectively redirected some update traffic to an attacker-controlled site where victims downloaded a poisoned version of what appeared to be a legit software update.
Later on Monday, Rapid7's managed detection and response team [2]attributed the attack "with moderate confidence" to the Chinese advanced persistent threat (APT) group they call Lotus Blossom.
[3]
This group typically conducts targeted cyber-espionage campaigns against organizations in Southeast Asia - and more recently Central America - with a focus on government, telecom, aviation, critical infrastructure, and media sectors.
[4]
[5]
According to the threat hunters, the espionage crew used the hijacked Notepad++ update to deliver a previously unknown backdoor called Chrysalis.
Notepad++ author Don Ho did not immediately respond to The Register 's inquiries about Rapid7's attribution and malware analysis. We will update this story if we hear back.
[6]
While it's still unclear exactly how the miscreants gained initial access to Notepad++'s distribution infrastructure, once inside they abused that access to deliver a trojanized update in the form of an NSIS installer, a packaging format commonly abused by [7]Chinese APT groups to deliver initial payloads.
The installer contained an executable file named "BluetoothService.exe," which is a renamed legitimate Bitdefender Submission Wizard abused for DLL sideloading - another [8]favorite technique among Beijing-backed spies to deliver custom implants. It also included a file called "BluetoothService" that is actually an encrypted shellcode, and a malicious DLL sideloaded by BluetoothService.exe.
The shellcode here is the Chrysalis backdoor, and according to Rapid7, "its wide array of capabilities indicates it is a sophisticated and permanent tool, not a simple throwaway utility."
[9]
It uses legitimate binaries to sideload a malicious DLL with a generic name to make sure it's not discovered by simple filename-based detection tools. It also uses custom API hashing in both the loader and the main module, along with multiple layers of obfuscation to further cover its tracks, as well as "a fairly structured approach to C2 communication," the researchers wrote.
[10]Notepad++ update service hijacked in targeted state-linked attack
[11]Chinese spies used Maduro's capture as a lure to phish US govt agencies
[12]China-linked group accused of spying on phones of UK prime ministers' aides – for years
[13]China, Iran are having a field day with React2Shell, Google warns
As of press time, Rapid7 didn't have visibility into how many victims inadvertently downloaded the Chrysalis malware - but we will update this story if we learn more. The security sleuths did, however, publish a full list of file and network indicators of compromise, so be sure to [14]give that a read .
They note the attribution is primarily based on similarities between the initial loader use and previous research from [15]Symantec , including the goon squad using a renamed Bitdefender Submission Wizard to sideload a file called "log.dll" for decrypting and executing an additional payload.
"In addition, similarities of the execution chain of 'conf.c' retrieved from the infected asset and other loaders that we found, supported by the same public key extracted from [Cobalt Strike] beacons delivered through 'conf.c' and 'ConsoleApplication2.exe' suggest with moderate confidence that the threat actor behind this campaign is likely Lotus Blossom," the Rapid7 team wrote. ®
Get our [16]Tech Resources
[1] https://www.theregister.com/2026/02/02/notepad_plusplus_intrusion/
[2] https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aYGA9AQAU4P7GIN-xSCKIAAAAU8&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aYGA9AQAU4P7GIN-xSCKIAAAAU8&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aYGA9AQAU4P7GIN-xSCKIAAAAU8&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aYGA9AQAU4P7GIN-xSCKIAAAAU8&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://www.rapid7.com/blog/post/2025/05/22/nsis-abuse-and-srdi-shellcode-anatomy-of-the-winos-4-0-campaign/
[8] https://www.theregister.com/2026/01/15/chinese_spies_used_maduros_capture/
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aYGA9AQAU4P7GIN-xSCKIAAAAU8&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[10] https://www.theregister.com/2026/02/02/notepad_plusplus_intrusion/
[11] https://www.theregister.com/2026/01/15/chinese_spies_used_maduros_capture/
[12] https://www.theregister.com/2026/01/27/chinalinked_hackers_accused_of_yearslong/
[13] https://www.theregister.com/2025/12/15/react2shell_flaw_china_iran/
[14] https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
[15] https://sed-cms.broadcom.com/system/files/threat-hunter-whitepaper/2025-04/2025_04_ChinaLinked_Espionage_Actors.pdf
[16] https://whitepapers.theregister.com/
Re: It's OK to charge for the service pre-compiled distributed version of otherwise free software.
Eric 9001
The flaw allowing for exploitation has already been fixed - the download process now checks a signature.
Still, the only proper way to check that you have the right binary is with a GnuPG signature, but good luck with that on windows.
It's OK to charge for the service pre-compiled distributed version of otherwise free software.
As for Notepad++, I think they could have their free open source yet charge a subscription for pre-compiled versions to cover the costs of safely managing and distributing a pre-compiled version - or just don't bother publishing a compiled version at all. A underfunded attempt is worse than no attempt at all.