Notepad++ was compromised by Chinese APT group Lotus Blossom for 6 months (June-December 2025). The attackers hijacked the update mechanism to deliver a new backdoor called Chrysalis to fewer than 24 highly selective targets—government organizations in the Philippines, financial institutions in El Salvador, and IT providers in Vietnam. The breach was disclosed February 2, 2026. Update to v8.9.1 immediately.
What Happened?
On February 2, 2026, Notepad++ developer Don Ho disclosed that the application's update infrastructure had been compromised by suspected Chinese state-sponsored hackers. The attackers didn't exploit a vulnerability in Notepad++ itself—they compromised the hosting provider's infrastructure, allowing them to selectively redirect update traffic to malicious servers.
Security researchers at Rapid7 attributed the attack with "medium confidence" to Lotus Blossom (also known as Billbug), a Chinese APT group active since 2009 that primarily targets government, telecom, aviation, and critical infrastructure in Southeast Asia.
Attack Timeline
According to Kaspersky and Rapid7, the attack unfolded over several months:
- June 2025 — Attackers gain initial access to hosting infrastructure
- June-September 2025 — "Active Infection Phase" with selective redirects to malicious servers
- September 2, 2025 — Hosting provider kernel update temporarily severs access
- July-October 2025 — Attackers rotate C2 servers, downloaders, and payloads
- December 2025 — Fix released in Notepad++ v8.8.9
- February 2, 2026 — Public disclosure by Don Ho
"The shellcode, once decrypted by log.dll, is a custom, feature-rich backdoor we've named 'Chrysalis'. Its wide array of capabilities indicates it is a sophisticated and permanent tool, not a simple throwaway utility."— Rapid7
The Chrysalis Backdoor
Chrysalis is a previously undocumented backdoor discovered during this investigation. It uses custom encryption, reflective loading, API hashing, and hides its configuration in an encrypted shellcode blob. Key capabilities include:
- Persistence — Via Windows services or registry keys
- Remote Access — Spawn reverse shells on demand
- Data Exfiltration — File transfers to C2 servers
- Self-Destruction — Full self-removal to avoid forensic detection
Who Was Targeted?
Despite Notepad++ having millions of users worldwide, this was a highly selective attack. Kaspersky identified targets including:
- Government organization in the Philippines
- Financial organization in El Salvador
- IT service providers in Vietnam
- Individuals in Australia
Researchers stressed this was not broad supply-chain poisoning—the attackers deliberately kept the operation "low-noise" to avoid detection while maintaining long-term persistence.
What You Should Do
Update to Notepad++ v8.9.1 immediately via manual download from the official website or GitHub. The development team has migrated to a new hosting provider and strengthened the WinGup updater to verify both certificate and installer signatures before execution.