Rapid7 Labs has detailed a cyber-espionage campaign involving a Notepad++ supply-chain attack attributed with moderate confidence to the Chinese advanced persistent threat (APT) group Lotus Blossom.
Active since at least 2009, Lotus Blossom is known for targeted espionage operations against government, telecom, aviation, critical infrastructure, and media organizations, primarily across Southeast Asia and more recently Central America.
On February 2, the maintainer of Notepad++ disclosed that state-sponsored threat actors compromised the text editor’s update infrastructure, redirecting some users to malicious servers. According to developer Don Ho, the attack involved an infrastructure-level breach at Notepad++’s hosting provider, not vulnerabilities in the application’s source code. The compromise allowed attackers, believed to be linked to China, to intercept and reroute update traffic intended for notepad-plus-plus.org.
In the campaign analyzed by Rapid7, the threat actor compromised of infrastructure associated with Notepad++ to deliver a previously undocumented backdoor, dubbed “Chrysalis.” The researchers have also uncovered multiple custom loaders in the wild, including ConsoleApplication2.exe, which employs the Microsoft Warbird code-protection framework to conceal shellcode execution.
The analysis showed that the intruders abused the Notepad++ distribution infrastructure for initial access. While previous reports suggested the breach occurred via plugin replacement and updater-based mechanisms, Rapid7 found no definitive evidence confirming this.
“The only confirmed behavior is that execution of “notepad++.exe” and subsequently “GUP.exe” preceded the execution of a suspicious process “update.exe” which was downloaded from 95.179.213.0.,” the report notes.
Update.exe is an NSIS installer, a tool commonly used by Chinese APT groups. The installer ultimately executes shellcode decrypted by log.dll, deploying the Chrysalis backdoor. Chrysalis is a persistent implant that relies on DLL side-loading with benign-looking filenames, custom API hashing, layered obfuscation, and structured command-and-control communications.
Attribution is based on strong similarities between the initial loader and techniques documented in previous Symantec research, particularly the use of a renamed Bitdefender Submission Wizard to side-load log.dll. Also overlaps in execution chains and shared cryptographic material were observed across multiple loaders, including conf.c and ConsoleApplication2.exe.