Between June and December 2025, the state-sponsored threat group Lotus Blossom successfully gained access to Notepad++'s official hosting infrastructure, targeting users in critical infrastructure sectors, telecommunications companies, and government agencies This article explores security tools attackers. . By breaching the shared hosting provider's environment, the attackers were able to intercept traffic intended for the Notepad++ update server and reroute it to their own malicious infrastructure.

Although the campaign also spread to South America, the United States, and Europe, the infrastructure-level hijack allowed for the selective targeting of victims, most of whom were in Southeast Asia. Find additional e-signature solutions. ZeroOwl membership Planning for incident response System administrators, network engineers, and DevOps staff frequently use Notepad++, a lightweight, open-source code editor, in business settings.

When larger applications are impractical, these professionals frequently use the tool to audit code on secure systems, change server configurations, and parse system logs. Palo Alto Networks analysts discovered that by breaking into the sessions of privileged users, attackers were able to circumvent perimeter defenses and obtain implicit administrative access to critical network infrastructure. The attack took advantage of inadequate verification controls in previous iterations of WinGUp, the Notepad++ updater component.

Targeted victims unintentionally downloaded update.exe, a malicious NSIS installer, when they tried to update their software, starting a convoluted infection chain.

Researchers from Unit 42 found two different attack sequences: one chain that used DLL sideloading techniques to install the Chrysalis backdoor, and another that used a Lua script injection variant to deliver Cobalt Strike beacon malware. The malicious installer loaded a malicious library, log.dll, by abusing a genuine Bitdefender component, BluetoothService.exe, which subsequently decrypted and ran the custom backdoor. Communication with command-and-control servers at IP addresses 45.76.155[.

]202 and 45.77.31[. ]210 was another activity seen between August and November 2025. The attackers were moving between servers to keep continuous access. Mechanism of Infection Advanced evasion techniques were used by the Chrysalis backdoor to evade detection by security tools.

Attackers established persistent remote control over compromised systems by lowering antivirus detection through the use of custom API hashing techniques and the Microsoft Warbird code protection framework.

Learn more about ethical hacking tools for cybersecurity. Office 365 In order to inject shellcode and distribute Cobalt Strike beacon malware, attackers used the EnumWindowStationsW API to deploy malicious scripts in the Lua script injection variant. Across several continents, the campaign focused on the cloud hosting, energy, financial, government, manufacturing, and software development industries.

After downloading the malicious payload, successful beacons to malicious servers were sent out seconds later, and communication lasted for a long time. Since then, Notepad++ has improved its security features with version 8.9.1, which now includes XML signing of update server responses and certificate and signature verification of downloaded installers. Beginning with version 8.9, the developers intend to implement more stringent verification after moving to a new hosting company with better security procedures.2.

Set ZeroOwl as a Preferred Source in Google and use X, LinkedIn, and LinkedIn to receive more real-time updates.