A China-linked risk actor referred to as Lotus Blossom has been attributed with medium confidence to the not too long ago found compromise of the infrastructure internet hosting Notepad++.
The assault enabled the state-sponsored hacking group to ship a beforehand undocumented backdoor codenamed Chrysalis to customers of the open-source editor, in keeping with new findings from Rapid7.
The event comes shortly after Notepad++ maintainer Don Ho mentioned {that a} compromise on the internet hosting supplier degree allowed risk actors to hijack replace site visitors beginning June 2025 and selectively redirect such requests from sure customers to malicious servers to serve a tampered replace by exploiting inadequate replace verification controls that existed in older variations of the utility.
The weak spot was plugged in December 2025 with the discharge of model 8.8.9. It has since emerged that the internet hosting supplier for the software program was breached to carry out focused site visitors redirections till December 2, 2025, when the attacker’s entry was terminated. Notepad++ has since migrated to a brand new internet hosting supplier with stronger safety and rotated all credentials.
Rapid7’s evaluation of the incident has uncovered no proof or artifacts to counsel that the updater-related mechanism was exploited to distribute malware.
“The one confirmed conduct is that execution of ‘notepad++.exe’ and subsequently ‘GUP.exe’ preceded the execution of a suspicious course of ‘replace.exe’ which was downloaded from 95.179.213.0,” safety researcher Ivan Feigl mentioned.
“Replace.exe” is a Nullsoft Scriptable Set up System (NSIS) installer that comprises a number of recordsdata –
- An NSIS set up script
- BluetoothService.exe, a renamed model of Bitdefender Submission Wizard that is used for DLL side-loading (a method broadly utilized by Chinese language hacking teams)
- BluetoothService, encrypted shellcode (aka Chrysalis)
- log.dll, a malicious DLL that is sideloaded to decrypt and execute the shellcode
Chrysalis is a bespoke, feature-rich implant that gathers system data and contacts an exterior server (“api.skycloudcenter[.]com”) to possible obtain further instructions for execution on the contaminated host.
The command-and-control (C2) server is presently offline. Nevertheless, a deeper examination of the obfuscated artifact has revealed that it is able to processing incoming HTTP responses to spawn an interactive shell, create processes, carry out file operations, add/obtain recordsdata, and uninstall itself.
“Total, the pattern seems like one thing that has been actively developed over time,” Rapid7 mentioned, including it additionally recognized a file named “conf.c” that is designed to retrieve a Cobalt Strike beacon by way of a customized loader that embeds Metasploit block API shellcode.
One such loader, “ConsoleApplication2.exe” is noteworthy for its use of Microsoft Warbird, an undocumented inside code safety and obfuscation framework, to execute shellcode. The risk actor has been discovered to repeat and modify an already present proof-of-concept (PoC) printed by German cybersecurity firm Cirosec in September 2024.
Rapid7’s attribution of Chrysalis to Lotus Blossom (aka Billbug, Bronze Elgin, Lotus Blossom, Raspberry Storm, Spring Dragon, and Thrip) primarily based on similarities with prior campaigns undertaken by the risk actor, together with one documented by Broadcom-owned Symantec in April 2025 that concerned using legit executables from Development Micro and Bitdefender to sideload malicious DLLs.
“Whereas the group continues to depend on confirmed strategies like DLL side-loading and repair persistence, their multi-layered shellcode loader and integration of undocumented system calls (NtQuerySystemInformation) mark a transparent shift towards extra resilient and stealth tradecraft,” the corporate mentioned.
“What stands out is the combination of instruments: the deployment of customized malware (Chrysalis) alongside commodity frameworks like Metasploit and Cobalt Strike, along with the fast adaptation of public analysis (particularly the abuse of Microsoft Warbird). This demonstrates that Billbug is actively updating its playbook to remain forward of recent detection.”
