Rapid7 Links Notepad++ Breach to Lotus Blossom APT

Rapid7 has attributed the Notepad++ supply chain compromise to Lotus Blossom, a Chinese state-sponsored group with a long history of targeting organizations across Southeast Asia. The attribution, published this week with medium confidence, comes alongside technical details about a previously undocumented backdoor called Chrysalis and three distinct infection chains that rotated over the six-month compromise window.

We covered the initial disclosure of the Notepad++ hijacking last week when developer Don Ho revealed the breach. Rapid7's new analysis fills in the technical gaps—who was behind it, what they deployed, and which victims they targeted.

Three Infection Chains, One Mission

Between late July and October 2025, the attackers cycled through three different malware delivery sequences, each served to targeted users via the hijacked update mechanism. None of them modified Notepad++ source code. The compromise lived entirely at the hosting provider level, making it invisible to code-signing verification.

Chain 1 (late July to early August): A malicious update served from 45.76.155[.]202 dropped an NSIS installer that abused ProShow.exe for DLL sideloading. The sideloaded DLL loaded a Metasploit downloader, which pulled a Cobalt Strike beacon for initial access.

Chain 2 (mid to late September): The attackers shifted to broader system reconnaissance—running whoami, tasklist, netstat, and systeminfo on compromised machines. This chain used Lua script execution with embedded shellcode and switched to a new distribution URL at self-dns.it[.]com/list.

Chain 3 (October): The final chain, distributed from 45.32.144[.]255, delivered the Chrysalis backdoor through the same DLL sideloading technique but with updated payloads. Some variants propagated via 95.179.213[.]0 under filenames like install.exe and AutoUpdater.exe.

The rotation between chains suggests active development and operational security awareness. When one chain risked detection, the operators retired it and deployed a replacement within weeks.

The Chrysalis Backdoor

Chrysalis is a custom, feature-rich implant designed for sustained access rather than smash-and-grab operations. Its capabilities include system information gathering, interactive shell spawning, process creation, file upload and download, and a remote uninstall function—a cleanup mechanism that lets operators remove evidence of their presence.

The backdoor communicated with C2 infrastructure at api.skycloudcenter[.]com (currently offline). Its loader used Metasploit block API shellcode, and some variants employed Microsoft Warbird obfuscation—a technique that abuses Microsoft's own code protection framework to make analysis harder.

That Lotus Blossom built a dedicated backdoor for this campaign rather than reusing existing tools from their arsenal signals the level of investment. Commodity malware would've been easier but also more detectable. Chrysalis was built for this specific operation.

Who Got Targeted

Kaspersky documented approximately a dozen targeted machines across multiple regions and sectors:

• Government organizations in the Philippines
• Financial institutions in El Salvador
• Telecommunications providers
• IT service companies
• Transportation industry firms
• Individual users in Vietnam, Australia, and the Philippines

The geographic spread skews toward APAC, consistent with Lotus Blossom's historical targeting. But the inclusion of South American targets (El Salvador) represents an expansion beyond the group's usual operating area.

Attribution to Lotus Blossom

Rapid7's medium-confidence attribution rests on several technical indicators. The attackers used DLL sideloading techniques that exploited legitimate binaries from Trend Micro and Bitdefender—a pattern Lotus Blossom (also tracked as Billbug, Bronze Elgin, Lotus Panda, and Spring Dragon) has used in previous campaigns. The multi-layered shellcode loaders with undocumented system calls match the group's known tradecraft, and the adaptation of public research on Microsoft Warbird abuse aligns with their demonstrated willingness to weaponize academic findings.

The EmEditor supply chain compromise we covered in January used a different approach—trojanized installers on the download page rather than update mechanism hijacking—but the broader pattern of text editor targeting is hard to ignore. Developer tools are high-value targets because their users tend to have elevated privileges, access to source code, and SSH keys to production infrastructure.

Indicators of Compromise

C2 servers:

• api.skycloudcenter[.]com
• self-dns.it[.]com
• 45.76.155[.]202
• 45.32.144[.]255
• 95.179.213[.]0

Detection guidance: Monitor for execution chains where notepad++.exe spawns gup.exe (the WinGup updater), which then launches an unexpected update.exe process. Connections to the C2 addresses above from any endpoint should trigger immediate investigation.

What to Do

Update Notepad++ to version 8.8.9 or later immediately. The updated WinGup component now verifies both the certificate and signature of downloaded installers, and the update server's XML responses are signed with XMLDSig. The project has also migrated to a new hosting provider.

If you're running any version installed between June and December 2025, assume it may have been compromised. Check for the presence of BluetoothService.exe (a renamed Bitdefender tool), log.dll files in unexpected locations, and connections to the C2 infrastructure listed above. Full malware analysis guidance can help teams assess exposure across their environment.

Supply chain attacks against developer tools carry outsized risk because the blast radius extends to everything those developers build and maintain. When the text editor is compromised, the code that flows through it becomes suspect too.