Kicker: Cyber-Security
Lead: Researchers have uncovered new details about a targeted supply chain attack that abused the Notepad++ software update mechanism, attributing the activity to Lotus Blossom (also known as Billbug), a Chinese state-sponsored threat group. The attackers leveraged the trusted update process to distribute malicious payloads to a small, carefully selected group of victims. According to Rapid7, the operation was not opportunistic or widespread, but instead focused on espionage-oriented objectives, primarily affecting organizations and individuals in Southeast Asia and a handful of other regions.
Further analysis from Kaspersky revealed that victims included government entities, financial organizations, IT service providers, and individual users located in Vietnam, the Philippines, El Salvador, and Australia. The attack involved multiple distinct execution chains, highlighting a high level of sophistication and operational flexibility. In one method, a malicious installer masquerading as a legitimate Notepad++ update sideloaded a crafted DLL, which decrypted and injected custom shellcode into a renamed legitimate binary. This process resulted in the deployment of a powerful backdoor, dubbed “Chrysalis,” capable of long-term persistence and advanced command-and-control communication.
Other infection chains observed by researchers followed different paths but shared a common goal: delivering robust post-exploitation tooling. Some installers transmitted system reconnaissance data before dropping vulnerable legitimate software that was later exploited to load additional malware. In several cases, attackers ultimately deployed Cobalt Strike Beacons, a widely used post-exploitation framework, enabling remote control and lateral movement within compromised environments. The use of varied loaders, rotating infrastructure, and layered obfuscation techniques suggests the tooling has been actively maintained and refined over time.
Kaspersky researchers noted that the attackers continuously modified their infrastructure and payloads over a four-month period, from July to October 2025, likely to evade detection and limit forensic correlation. Despite the technical complexity, experts agree that the overall impact was limited due to the highly selective targeting strategy.
In response, security vendors including Rapid7, Kaspersky, and Orca Security have published indicators of compromise, along with detection and remediation guidance to help organizations assess potential exposure. The Notepad++ maintainer has since strengthened the application’s update mechanism by enforcing stricter certificate and signature verification and migrating the project’s website to a more secure hosting provider. These measures aim to reduce the risk of similar supply chain compromises in the future.