The recently found compromise of the infrastructure hosting Notepad++ has been attributed with medium confidence to Lotus Blossom, a threat actor with ties to China This article explores hosting provider compromised. . According to new Rapid7 findings, the attack allowed the state-sponsored hacking group to provide users of the open-source editor with a backdoor codenamed Chrysalis that had not been previously documented.

The development follows Notepad++ maintainer Don Ho's statement that, using inadequate update verification controls present in previous iterations of the utility, threat actors were able to selectively reroute update traffic from specific users to malicious servers in order to serve a tampered update, beginning in June 2025, due to a compromise at the hosting provider level. When version 8.8.9 was released in December 2025, the vulnerability was fixed.

Since then, it has come to light that the software's hosting provider was compromised in order to carry out targeted traffic redirections until the attacker's access was removed on December 2, 2025. Since then, Notepad++ has switched to a more secure hosting company and changed all of its login credentials. According to Rapid7's investigation of the event, there is no proof or artifacts that the updater-related mechanism was used to spread malware.

Security researcher Ivan Feigl stated, "The only verified behavior is that the execution of 'notepad++.exe' and then 'GUP.exe' preceded the execution of a suspicious process 'update.exe' which was downloaded from 95.179.213.0."

The Nullsoft Scriptable Install System (NSIS) installer "Update.exe" comes with several files, including the BluetoothService NSIS installation script.exe, a modified version of Bitdefender Submission Wizard used for DLL side-loading, a method frequently employed by Chinese cybercriminals BluetoothService, encrypted shellcode (also known as Chrysalis), log.dll, a malicious DLL that is sideloaded to decrypt and run the shellcode Chrysalis is a custom, feature-rich implant that collects system data and communicates with an external server ("api.skycloudcenter[. ]com") in order to probably obtain additional commands for execution on the compromised host. At the moment, the command-and-control (C2) server is not operational.

Nevertheless, a closer look at the obfuscated artifact has shown that it can process incoming HTTP responses to launch an interactive shell, generate processes, carry out file operations, upload and download files, and remove itself.

"Overall, the sample looks like something that has been actively developed over time," Rapid7 stated. It also found a file called "conf.c" that uses a custom loader that embeds Metasploit block API shellcode to retrieve a Cobalt Strike beacon. Among these loaders, "ConsoleApplication2.exe" stands out for executing shellcode using Microsoft Warbird, an undocumented internal code protection and obfuscation framework.

The threat actor has been discovered to replicate and alter an existing proof-of-concept (PoC) that was released in September 2024 by the German cybersecurity firm Cirosec.

Chrysalis was attributed by Rapid7 to Lotus Blossom (also known as Billbug, Bronze Elgin, Lotus Blossom, Raspberry Typhoon, Spring Dragon, and Thrip) due to similarities with previous campaigns carried out by the threat actor, including one that was reported by Symantec, a company owned by Broadcom, in April 2025 and involved the use of legitimate executables from Trend Micro and Bitdefender to sideload malicious DLLs. ""The group's multi-layered shellcode loader and integration of undocumented system calls (NtQuerySystemInformation) mark a clear shift toward more resilient and stealth tradecraft," the company stated, even though they still rely on tried-and-true tactics like DLL side-loading and service persistence.

"What's notable is the combination of tools: the use of commodity frameworks like Metasploit and Cobalt Strike in conjunction with custom malware (Chrysalis) and the quick adaptation of public research (particularly the misuse of Microsoft Warbird)." This indicates that in order to stay ahead of contemporary detection, Billbug is constantly updating its playbook.