The Lotus Blossom threat group, linked to China, conducted a targeted supply chain attack against Notepad++ by breaching its hosting provider infrastructure. This breach allowed the attackers to hijack update traffic from June 2025 until their access was terminated on December 2, 2025. By exploiting insufficient update verification mechanisms in older Notepad++ versions, the attackers selectively redirected update requests from certain users to malicious servers, delivering a backdoor implant named Chrysalis. Chrysalis is a complex, multi-layered malware implant that uses DLL side-loading techniques, specifically leveraging a renamed Bitdefender Submission Wizard executable (BluetoothService.exe) to sideload a malicious DLL (log.dll) that decrypts and executes encrypted shellcode. The implant gathers system information and communicates with a command-and-control server (api.skycloudcenter[.]com) to receive further commands, including spawning interactive shells, file operations, process creation, and self-removal. The malware also incorporates a custom loader embedding Metasploit block API shellcode and uses Microsoft Warbird, an undocumented obfuscation framework, to evade detection. Rapid7's analysis found no evidence of widespread exploitation via the update mechanism, but the attack demonstrates advanced tactics such as DLL sideloading, shellcode obfuscation, and rapid adaptation of public research tools. Notepad++ responded by migrating to a more secure hosting provider, rotating credentials, and releasing version 8.8.9 to fix the update verification flaw. The attack is consistent with Lotus Blossom's prior campaigns involving similar techniques and tools, indicating an evolution in their operational sophistication and stealth capabilities.

For European organizations, the compromise of Notepad++'s update infrastructure poses a significant supply chain risk, especially for entities relying on this widely used open-source editor for software development, system administration, and general text editing. The delivery of the Chrysalis backdoor could lead to unauthorized system access, data exfiltration, lateral movement within networks, and potential disruption of operations. Given the implant's capabilities to execute arbitrary commands, upload/download files, and maintain persistence stealthily, affected systems could be fully compromised without immediate detection. The attack also undermines trust in open-source software supply chains, potentially impacting compliance and security postures. Although no widespread exploitation has been confirmed, targeted attacks could focus on high-value European sectors such as government, critical infrastructure, technology firms, and research institutions. The incident highlights the need for rigorous software supply chain security and monitoring for anomalous update behaviors. Additionally, the use of commodity frameworks like Metasploit and Cobalt Strike alongside custom malware increases the complexity of detection and response efforts.

European organizations should immediately ensure that all Notepad++ installations are updated to version 8.8.9 or later, which includes patches for the update verification vulnerability. Implement strict network monitoring to detect anomalous outbound connections, especially to suspicious domains like api.skycloudcenter[.]com or IP ranges associated with the attack. Employ endpoint detection and response (EDR) solutions capable of identifying DLL sideloading, unusual process executions (e.g., unexpected 'update.exe' or 'BluetoothService.exe' processes), and shellcode injection techniques. Conduct thorough audits of software supply chain dependencies and enforce cryptographic verification of software updates using strong signature validation mechanisms. Organizations should consider restricting or sandboxing the execution of update processes for critical applications and implement application allowlisting to prevent unauthorized binaries from running. Rotate credentials and secrets related to software update infrastructure and hosting providers regularly. Engage in threat hunting exercises focused on indicators of compromise related to Lotus Blossom tactics, techniques, and procedures (TTPs), including the use of Microsoft Warbird obfuscation and Metasploit/Cobalt Strike payloads. Finally, enhance user awareness about supply chain risks and encourage reporting of suspicious software behaviors.