Full Report
A China-linked threat actor known as Lotus Blossom has been attributed with medium confidence to the recently discovered compromise of the infrastructure hosting Notepad++. The attack enabled the state-sponsored hacking group to deliver a previously undocumented backdoor codenamed Chrysalis to users of the open-source editor, according to new findings from Rapid7. The development comes shortly
Analysis Summary
# Threat Actor: Lotus Blossom
## Attribution & Identity
- **Identified Actor:** Lotus Blossom (China-linked threat actor).
- **Confidence:** Medium confidence attributed by Rapid7 to the Notepad++ infrastructure compromise.
- **Known Aliases/Associated Groups:** Broadly associated with the same threat group that has used aliases including Billbug, Bronze Elgin, Lotus Panda, and Spring Dragon, and Thrip.
- **Nature:** State-sponsored hacking group.
## Activity Summary
The primary recent activity detailed is the compromise of the infrastructure hosting the Notepad++ open-source editor. The goal was to hijack update traffic starting around June 2025 until December 2, 2025, redirecting certain users to malicious servers to serve a tampered update containing a new backdoor. Although the initial attack vector targeted updater mechanism vulnerabilities, Rapid7 found no artifacts confirming exploitation of the updater mechanism itself; rather, the compromise focused on redirecting traffic at the hosting provider level.
## Tactics, Techniques & Procedures
- **Delivery Mechanism:** Hijacking update traffic at the hosting provider level to serve a malicious update (exploiting insufficient update verification controls in older versions).
- **Initial Execution Chain:** Execution of `notepad++.exe` followed by `GUP.exe`, preceding the execution of a downloaded malicious file `update.exe`.
- **Installer Usage:** Used a Nullsoft Scriptable Install System (NSIS) installer (`update.exe`) containing multiple components.
- **DLL Side-Loading:** Employed classic DLL side-loading using a legitimate file (`BluetoothService.exe`, a renamed Bitdefender Submission Wizard) to load a malicious DLL (`log.dll`). This technique is widely used by Chinese hacking groups.
- **Payload Deployment:** The malicious DLL sideloaded and decrypted an encrypted shellcode payload, identified as the **Chrysalis** backdoor.
- **System Evasion/Obfuscation:** The toolkit included a custom loader designed to retrieve a Cobalt Strike beacon by embedding Metasploit block API shellcode.
- **Obfuscation Framework:** Noteworthy use of **Microsoft Warbird**, an undocumented internal code protection and obfuscation framework, executed via a custom loader (`ConsoleApplication2.exe`). The actor copied and modified a public Proof-of-Concept for this technique.
- **Kernel/System Interaction:** Identified use of undocumented system calls such as `NtQuerySystemInformation` for enhanced resilience and stealth.
- **Persistence/Resilience:** Continued reliance on service persistence and multi-layered shellcode loaders.
## Targeting
- **Sectors:** Implied targeting of software/developer communities (users of open-source tools like Notepad++). Historical context suggests targeting of government entities (e.g., activity documented against Southeast Asian governments).
- **Geography:** Not explicitly stated for the Notepad++ incident, but attributed to a China-linked actor.
- **Victims:** Users of specific versions of the Notepad++ editor globally who had their update traffic redirected between June 2025 and December 2, 2025.
## Tools & Infrastructure
- **Malware Families Used:**
- **Chrysalis:** Previously undocumented, feature-rich bespoke backdoor implant.
- **Cobalt Strike:** Beacon retrieved via a custom loader.
- **Infrastructure (C2):**
- C2 Domain: `api.skycloudcenter[.]com` (Currently offline).
- C2 IP (Observed during initial payload execution): `95.179.213.0`
- **Legitimate Tools Abused:** Bitdefender Submission Wizard (renamed) for DLL side-loading.
## Implications
The compromise demonstrates a sophisticated attack targeting a globally used piece of open-source software infrastructure to distribute malware. The group is evolving its tradecraft, moving towards more resilient and stealthy methods by combining proven techniques (DLL side-loading) with advanced, low-level exploitation (abusing undocumented Windows frameworks like Microsoft Warbird and using `NtQuerySystemInformation`). The development of the complex, multi-layered Chrysalis backdoor indicates active, state-sponsored development cycles.
## Mitigations
- Ensure robust update verification mechanisms are in place (Notepad++ patched this with version 8.8.9 in December 2025).
- Monitor for unexpected execution chains involving legitimate software executable names being followed by suspicious processes (e.g., `notepad++.exe` followed by `GUP.exe` then `update.exe`).
- Implement advanced monitoring for known adversary TTPs, particularly DLL side-loading attempts using legitimate vendor files (like Bitdefender components).
- Detective controls should look for indicators of the use of undocumented Windows APIs/frameworks like Microsoft Warbird for shellcode execution.