Lotus Blossom, a state-sponsored threat group, was able to successfully breach Notepad++'s official hosting infrastructure between June and December 2025 This article explores notepad malicious servers. . By taking advantage of flaws in the shared hosting environment, the hackers were able to access traffic meant for Notepad++'s update server without authorization.

Because of this breach, the attackers were able to intercept and alter software updates, distributing malicious updates to a subset of victims, mostly in Southeast Asia. The critical infrastructure, telecommunications, and government sectors were among those targeted. In order to distribute custom malware, such as Chrysalis backdoor and Cobalt Strike Beacon, the attackers took advantage of this infrastructure-level compromise. They were able to avoid detection and maintain continuous access by using these sophisticated tools.

Despite its initial focus on Southeast Asia, the campaign spread to the U.S., South America, and Europe, impacting industries like manufacturing, cloud hosting, energy, and finance. Vector of Attack and Exploitation To take advantage of lax verification controls, the attackers used older versions of Notepad++'s updater, particularly the WinGUp component. They were able to divert users trying to update Notepad++ to malicious servers as a result.

MITRE TTP ID: T1574.001 config case_sensitive = false | dataset = xdr_data | fields actor_process_signature_vendor, actor_process_signature_product, action_module_path, actor_process_image_path, actor_process_image_sha256, agent_os_type, event_type, event_id, agent_hostname, _time, actor_process_image_name | filter event_type = ENUM.LOAD_IMAGE and agent_os_type = ENUM.AGENT_OS_WINDOWS | filter actor_process_signature_vendor contains "Bitdefender SRL" and action_module_path contains "log.dll" | filter actor_process_image_path does not contain "Program Files\Bitdefender" | filter does not contain actor_process_image_name in ("eps.rmm64.exe", "downloader.exe", "installer.exe", "epconsole.exe") "Epintegrationservice.exe" and "EPHost.exe" "EPPowerConsole.exe" and "epprotectedservice.exe" "epsecurityservice.exe" and "DiscoverySrv.exe" "EPSecurityService.exe," "epupdateservice.exe," and "testinitsigs.exe" "EPHost.Integrity.exe," "WatchDog.exe," "ProductAgentService.exe," and "EPLowPrivilegeWorker.exe" "Product.Configuration.Tool.exe" and "eps.rmm.exe" Victims who downloaded the seemingly legitimate update were infected with custom malware via an NSIS installer, which initiated a multi-stage infection process.

The attack used two techniques that are frequently used to get around security and inject payloads: DLL sideloading and Lua script injections. One infection chain used a Bitdefender component that executed the Chrysalis backdoor by sideloading a malicious DLL called log.dll. Another chain deployed Cobalt Strike Beacon, a well-known penetration-testing tool modified for cyberattacks, using a Lua script.

In order to enable additional exploitation of the compromised networks, these payloads were designed to gain remote control over the victim's systems. Strategies for Evasion and Persistence The Chrysalis backdoor showed off a number of advanced evasion strategies, such as custom API hashing to avoid antivirus detection, Microsoft Warbird, and a dynamic code protection framework. Additionally, the malware's low-profile design allowed it to avoid detection for extended periods of time.

Targeting important infrastructure operators, administrators, and developers, its capacity to sustain continuous access to compromised systems made it a desirable instrument for cyberespionage. Palo Alto Networks identified two different infection chains that both used sophisticated methods like DLL sideloading and malicious NSIS installers. In order to avoid detection, attackers switched between IP addresses during phased communication with command-and-control (C2) servers.

The attackers' emphasis on highly strategic industries like cloud hosting and government highlights their long-term goal of obtaining sensitive intelligence rather than causing immediate disruption. One notable advancement in the strategies used by state-sponsored threat actors is the Notepad++ supply chain attack.

This attack specifically targeted system administrators and developers, gaining access to privileged user sessions, in contrast to conventional techniques that target large infrastructure systems. The increasing sophistication of cyber espionage operations is demonstrated by this strategic shift from wide-ranging attacks to highly targeted campaigns. Value of Indicator Type C2 IP 45.76.155.202 C2 IP 45.77.31.210 C2 IP 45.32.144.255 Download Mutex Global\Jdhfv_1.0.1 Malicious DLL log.dll from the URL /update/update.exe.

Notepad++ has improved security procedures and added verification steps to its update process in response to the attack, making significant changes to its software and hosting environment.