A security incident involving the popular text editor Notepad++ has been attributed to the Chinese government-linked espionage group known as Lotus Blossom. This group has reportedly exploited weaknesses in the software’s update infrastructure to deliver a backdoor identified as Chrysalis to high-value targets.
Incident Overview
According to the project’s author, the compromise occurred when a shared hosting server was breached, allowing attackers to redirect update traffic to a malicious site. Victims unknowingly downloaded a trojanized version of what appeared to be a legitimate software update.
Attribution and Targets
Rapid7’s managed detection and response team has attributed the attack with moderate confidence to the Lotus Blossom group, which typically focuses on cyber-espionage against organizations in Southeast Asia and Central America. Their targets often include government entities, telecommunications, aviation, critical infrastructure, and media sectors.
Technical Details of the Attack
The attackers utilized the hijacked Notepad++ update to deliver the Chrysalis backdoor through an NSIS installer, a format frequently exploited by advanced persistent threat (APT) groups. The installer contained an executable named BluetoothService.exe, which is a renamed legitimate Bitdefender Submission Wizard. This executable was used for DLL sideloading, a technique commonly employed by state-sponsored actors to deploy custom malware.
Additionally, the installer included an encrypted shellcode and a malicious DLL, with the shellcode serving as the Chrysalis backdoor. Rapid7 noted that the sophistication of this tool indicates it is designed for long-term use rather than a temporary solution.
Current Status and Indicators of Compromise
As of now, Rapid7 has not disclosed the number of victims who may have downloaded the compromised update. They have, however, provided a list of file and network indicators of compromise for further investigation. The attribution to Lotus Blossom is supported by similarities in the execution chain and previous research that identified similar tactics used by this group.
Further updates may be provided as more information becomes available regarding the scope and impact of this incident.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
