Search

Lotus Blossom Hackers Compromised Notepad++ Hosting Infrastructure to Deliver Malware

Cyber threats and incidents
By Evan Rowe

Related

Cyber threats and incidents

Critical ZLAN ICS Device Vulnerabilities Enable Complete Device Takeover

What happened The U.S. cybersecurity agency CISA has issued an...
Read more
Cyber threats and incidents

Lotus Blossom Hackers Compromised Notepad++ Hosting Infrastructure to Deliver Malware

What happened The state-sponsored threat group Lotus Blossom breached the...
Read more
Cyber threats and incidents

Lithuania Launches National Initiative to Counter AI-Driven Cyber Fraud

What happened Lithuania has launched a government-funded national initiative aimed...
Read more
Cyber threats and incidents

ClickFix Attack Abuses nslookup to Deliver PowerShell Malware via DNS

What happened Threat actors have introduced a new ClickFix attack...
Read more
Cyber threats and incidents

Snail Mail Phishing Campaign Targets Trezor and Ledger Crypto Wallet Users

What happened Threat actors have launched a phishing campaign using...
Read more

Share

What happened

The state-sponsored threat group Lotus Blossom breached the official hosting infrastructure used by Notepad++, allowing attackers to intercept software update traffic and deliver malicious payloads to targeted victims. The compromise occurred between June and December 2025 after attackers gained access to the shared hosting provider’s environment and redirected update requests to attacker-controlled infrastructure. 

The attack exploited insufficient verification controls in older versions of the Notepad++ updater component WinGUp, causing victims attempting to update the software to download a malicious installer named update.exe. Researchers from Palo Alto Networks Unit 42 identified two infection chains, including a Lua script injection variant delivering Cobalt Strike beacon malware and a DLL sideloading method deploying the Chrysalis backdoor. The malware enabled persistent remote access and communicated with attacker command-and-control servers to maintain control over compromised systems. 

The campaign primarily targeted government agencies, telecommunications companies, and critical infrastructure organizations, with victims located in Southeast Asia, South America, the United States, and Europe. 

Who is affected

Organizations and professionals using Notepad++, particularly system administrators, network engineers, and DevOps personnel, are affected if they installed updates during the compromise period, as the malicious update mechanism enabled attackers to infect systems with persistent backdoor access. 

Why CISOs should care

The compromise demonstrates how attackers can infiltrate software update infrastructure to distribute malware through trusted tools, enabling unauthorized access to enterprise environments and critical systems managed by privileged users. 

3 practical actions

  • Update Notepad++ to version 8.9.1 or later. Install the latest release with enhanced certificate and signature verification protections. 
  • Audit systems for Chrysalis backdoor or Cobalt Strike indicators. Identify infections linked to malicious Notepad++ update activity. 
  • Review software update infrastructure security. Ensure update mechanisms enforce strict signature validation and integrity verification. 
Previous article
Lithuania Launches National Initiative to Counter AI-Driven Cyber Fraud
Next article
Critical ZLAN ICS Device Vulnerabilities Enable Complete Device Takeover
Cyber threats and incidents

Critical ZLAN ICS Device Vulnerabilities Enable Complete Device Takeover

What happened The U.S. cybersecurity agency CISA has issued an...
Cyber threats and incidents

Lithuania Launches National Initiative to Counter AI-Driven Cyber Fraud

What happened Lithuania has launched a government-funded national initiative aimed...

Subscribe to our stories

To be updated with all the latest news, offers and special announcements.