Lotus Blossom Turned Notepad++ Into a Six-Month Espionage Pipeline
Overview
A Chinese state-sponsored threat group spent six months inside the infrastructure behind Notepad++, one of the most widely used text editors on Windows, redirecting software updates to deliver a custom backdoor to hand-picked targets. Rapid7 published the full technical breakdown on February 2, attributing the campaign with moderate confidence to Lotus Blossom, an espionage-focused APT active since at least 2009. The group compromised Notepad++‘s hosting provider, not the application’s source code, and used that position to selectively funnel malicious update packages to victims in the telecom, financial services, government, and critical infrastructure sectors.
The operation ran from approximately June 2025 through December 2025, making it one of the longer-running supply chain compromises disclosed in recent memory. Independent security researcher Kevin Beaumont separately linked the activity to Violet Typhoon (also tracked as APT31), though Rapid7’s attribution rests on a different cluster of evidence tied to Lotus Blossom (also known as Billbug, Thrip, and Raspberry Typhoon). Regardless of which naming convention you prefer, the conclusion is the same: a well-resourced Chinese intelligence operation weaponized trusted software distribution to conduct targeted espionage.
Technical Details
Initial Access
The attackers did not exploit a vulnerability in Notepad++ itself. Instead, they compromised the shared hosting server that served notepad-plus-plus.org, gaining the ability to intercept and redirect traffic from WinGUp, the application’s built-in updater. Notepad++ maintainer Don Ho confirmed that the hosting provider reported the server was compromised until September 2, 2025. Even after the hosting provider regained control of the server, the attackers retained credentials to internal services until December 2, 2025, which allowed them to keep redirecting update traffic to infrastructure they controlled.
The redirection was highly targeted. Only traffic from specific users was routed to the malicious servers; most Notepad++ users continued to receive legitimate updates. This selectivity is a hallmark of intelligence-driven operations designed to minimize detection while maintaining access to priority targets.
The Chrysalis Backdoor
When a targeted user’s updater connected to the attacker-controlled server, it downloaded “update.exe” from 95.179.213[.]0. This file was an NSIS installer, a packaging tool frequently used by Chinese APT groups to deliver initial payloads. The installer dropped three files into a hidden “Bluetooth” directory under %AppData%:
- BluetoothService.exe: A renamed copy of the legitimate Bitdefender Submission Wizard, abused for DLL sideloading.
- log.dll: The malicious DLL that gets loaded in place of a legitimate library when BluetoothService.exe runs.
- BluetoothService: An encrypted shellcode blob.
When BluetoothService.exe executes, it loads log.dll, which decrypts the shellcode using a custom stream cipher built on a linear congruential generator. The decrypted payload is Chrysalis, a previously undocumented, feature-rich backdoor that Rapid7 describes as “a sophisticated and permanent tool, not a simple throwaway utility.”
Chrysalis decrypts its configuration using RC4, revealing a C2 server at api.skycloudcenter[.]com (resolving to 61.4.102[.]97 in Malaysia). The C2 URL structure mimics DeepSeek API chat endpoints, a clever choice to blend malicious traffic with legitimate AI platform requests. The backdoor supports 16 distinct commands, including interactive reverse shells, arbitrary file read/write, process creation, drive enumeration, file transfer, and a full self-removal mechanism that cleans up persistence artifacts and deletes its own binary.
Additional Tooling
Rapid7’s incident response team also recovered evidence of a secondary payload chain on compromised hosts. Attackers used a renamed Tiny C Compiler (masquerading as svchost.exe) to compile and execute a C source file (“conf.c”) containing embedded Metasploit shellcode. This shellcode downloaded a Cobalt Strike HTTPS beacon from api.wiresguard[.]com.
A third loader variant, ConsoleApplication2.exe, stood out for abusing Microsoft Warbird, an internal Windows code protection framework, to execute shellcode within the memory space of a Microsoft-signed binary (clipc.dll). The use of Warbird’s undocumented NtQuerySystemInformation system call to trigger code execution is a technique adapted directly from published security research, demonstrating the group’s habit of rapidly integrating publicly available offensive techniques.
Attribution Context
Rapid7 attributes the campaign to Lotus Blossom with moderate confidence based on strong similarities between the loader’s DLL sideloading approach (using a renamed Bitdefender binary to load log.dll) and techniques documented in prior Symantec research on the group. Shared Cobalt Strike beacon configurations across multiple loader variants further support the link.
Kevin Beaumont’s separate attribution to Violet Typhoon (APT31) may reflect overlapping tooling or infrastructure sharing between Chinese intelligence-linked groups. Both attributions converge on a clear conclusion: this was a state-sponsored operation with espionage objectives.
Impact
Notepad++ sits on the desktops of millions of Windows users worldwide. Developers, system administrators, security analysts, and engineers in government, telecommunications, critical infrastructure, and media all rely on it. That ubiquity is precisely what made it an attractive supply chain target. By compromising the distribution channel rather than the software itself, the attackers could reach high-value targets without tripping the kinds of alarms that a code-level backdoor would trigger during code review.
Rapid7’s Christiaan Beek told CyberScoop that post-compromise activity included “system profiling, persistence mechanisms, and remote command execution consistent with long-term espionage access rather than immediate disruption or monetization.” There was no evidence of bulk data exfiltration. The objective appears aligned with strategic intelligence collection, consistent with Lotus Blossom’s historical operations.
The six-month dwell time is notable. From June 2025 through December 2025, every targeted user who ran the Notepad++ updater potentially received the Chrysalis backdoor. Because the compromise was at the infrastructure level and the malware used legitimate signed binaries for sideloading, standard endpoint protections may not have flagged the activity.
Recommended Actions
-
Update Notepad++ immediately. Version 8.8.9 and later include hardened update verification. The Notepad++ website has been migrated to a new hosting provider. Rapid7 confirms that Lotus Blossom’s known campaign infrastructure is no longer active.
-
Hunt for the specific IoCs published by Rapid7. Key file hashes to check include update.exe (SHA-256: a511be5164dc1122fb5a7daa3eef9467e43d8458425b15a640235796006590c9) and log.dll (SHA-256: 3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad). Check network logs for connections to 95.179.213[.]0, api.skycloudcenter[.]com, api.wiresguard[.]com, and 61.4.102[.]97.
-
Look for the persistence artifacts. Chrysalis establishes persistence via Windows service creation or the registry Run key, and creates a hidden “Bluetooth” directory under %AppData%. Check for BluetoothService.exe in that path, and for suspicious entries pointing to binaries with -i or -k command-line flags.
-
Audit your software update trust model. This incident underscores that code signing alone is insufficient if the distribution infrastructure is compromised. Consider application allowlisting, network segmentation for update channels, and monitoring for unexpected binary replacements in directories associated with auto-updaters.
-
Review for Cobalt Strike indicators. The secondary payload chain used Cobalt Strike beacons communicating with api.wiresguard[.]com. Organizations with EDR telemetry should query for named pipes, Cobalt Strike beacon configurations, and the specific IPs (59.110.7[.]32, 124.222.137[.]114) documented in Rapid7’s report.
MITRE ATT&CK Mapping
| Technique ID | Name |
|---|---|
| T1195.002 | Supply Chain Compromise: Compromise Software Supply Chain |
| T1574.002 | Hijack Execution Flow: DLL Side-Loading |
| T1027.007 | Obfuscated Files or Information: Dynamic API Resolution |
| T1620 | Reflective Code Loading |
| T1059.003 | Command and Scripting Interpreter: Windows Command Shell |
| T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys |
| T1543.003 | Create or Modify System Process: Windows Service |
| T1071.001 | Application Layer Protocol: Web Protocols |
| T1573 | Encrypted Channel |
| T1105 | Ingress Tool Transfer |
| T1041 | Exfiltration Over C2 Channel |
| T1070.004 | Indicator Removal: File Deletion |
Indicators of Compromise
File Hashes (SHA-256):
| File | SHA-256 |
|---|---|
| update.exe | a511be5164dc1122fb5a7daa3eef9467e43d8458425b15a640235796006590c9 |
| log.dll | 3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad |
| BluetoothService.exe | 2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924 |
| conf.c | f4d829739f2d6ba7e3ede83dad428a0ced1a703ec582fc73a4eee3df3704629a |
| ConsoleApplication2.exe | b4169a831292e245ebdffedd5820584d73b129411546e7d3eccf4663d5fc5be3 |
Network Indicators:
- 95.179.213[.]0
- api[.]skycloudcenter[.]com (61.4.102[.]97)
- api[.]wiresguard[.]com
- 59.110.7[.]32
- 124.222.137[.]114
Timeline
| Date | Event |
|---|---|
| June 2025 | Lotus Blossom compromises Notepad++ hosting provider |
| September 2, 2025 | Hosting provider regains server access |
| December 2, 2025 | Attackers lose remaining internal service credentials |
| December 9, 2025 | Notepad++ v8.8.9 released with updater hardening |
| February 2, 2026 | Rapid7 publishes full Chrysalis backdoor analysis |
How Codex Can Help
If your organization uses Notepad++ and you want to determine whether you were targeted, or if this incident has you rethinking your software supply chain security posture, reach out. Our team can help with:
- Compromise assessment focused on the specific Lotus Blossom/Chrysalis IoCs, including forensic review of endpoints where Notepad++ was installed and updated during the June-December 2025 window.
- Supply chain security review to evaluate how your organization validates software updates, manages third-party tool risk, and detects infrastructure-level compromises before they reach endpoints.
- Threat hunting across your environment for the Cobalt Strike beacons, DLL sideloading patterns, and persistence mechanisms associated with this campaign and related Chinese APT tradecraft.
- Incident response if your investigation turns up evidence of compromise, including containment, eradication, and recovery support.
Supply chain attacks exploit the trust relationships organizations depend on. We help you verify that trust is warranted.