Notepad++ Hosting Breach Attributed to China-Linked Lotus Blossom Hacking Group

Key Points:

• A China-linked group, Lotus Blossom, has compromised the infrastructure hosting Notepad++, enabling them to deliver a backdoor named Chrysalis to users via malicious update traffic.
• The attack exploited insufficient update verification controls in older Notepad++ versions, allowing targeted redirection of update requests until December 2, 2025. The impact includes potential unauthorized access and system compromise for affected users.
• Organizations should ensure they are using the latest version of Notepad++ (8.8.9 or later), monitor for unusual processes like "update.exe," and implement strong security measures for software updates.

Technical Details: The backdoor, Chrysalis, is capable of gathering system information, executing commands, and utilizing a C2 server ("api.skycloudcenter[.]com") for further instructions. It employs techniques such as DLL side-loading and service persistence.

MITRE ATT&CK Techniques:

• T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)
• T1203 - Exploitation for Client Execution (Execution)
• T1055 - Process Injection (Execution)
• T1070.001 - Indicator Removal on Host: File Deletion (Defense Evasion)

IOCs Mentioned:

• IP Address: 95.179.213.0
• C2 Domain: api.skycloudcenter[.]com