China-Linked Lotus Blossom APT Uses Novel Chrysalis Backdoor in Notepad++ Supply Chain Attack

By Ravie Lakshmanan | February 3, 2026

A sophisticated Chinese state-sponsored hacking group known as Lotus Blossom has been linked with medium confidence to a highly targeted supply chain attack that compromised the infrastructure hosting the popular open-source text editor Notepad++, according to groundbreaking new research from Rapid7.

The attack, which unfolded over several months in 2025, enabled the advanced persistent threat (APT) group to deliver a previously undocumented malware family dubbed Chrysalis to a select group of Notepad++ users, marking one of the most concerning supply chain compromises in recent memory.

The Anatomy of a Stealthy Compromise

The Notepad++ development team first disclosed the breach in February 2026, revealing that their hosting provider had been compromised starting in June 2025. The attackers exploited insufficient update verification controls in older versions of the software to selectively redirect update traffic from specific users to malicious servers.

“What makes this attack particularly insidious is its precision,” explains Ivan Feigl, security researcher at Rapid7. “The threat actors didn’t simply infect everyone who downloaded Notepad++—they carefully targeted specific users by hijacking only their update requests.”

The vulnerability was patched in December 2025 with the release of version 8.8.9, but not before the attackers had months to deploy their sophisticated malware arsenal. The hosting provider breach was terminated on December 2, 2025, and Notepad++ has since migrated to enhanced security infrastructure with rotated credentials.

Chrysalis: A Custom-Built Digital Weapon

At the heart of this attack lies Chrysalis, a bespoke, feature-rich backdoor that represents the cutting edge of Chinese APT malware development. The malware arrives disguised as a legitimate NSIS (Nullsoft Scriptable Install System) installer named “update.exe,” which contains multiple components working in concert:

• An NSIS installation script that orchestrates the infection
• BluetoothService.exe, a renamed Bitdefender Submission Wizard executable used for DLL side-loading
• BluetoothService, encrypted shellcode containing the Chrysalis payload
• log.dll, a malicious DLL that decrypts and executes the shellcode

This multi-stage delivery mechanism is particularly noteworthy because DLL side-loading has become a hallmark technique for Chinese hacking groups, allowing them to abuse legitimate software to bypass security controls.

Advanced Capabilities and C2 Infrastructure

Once deployed, Chrysalis establishes communication with its command-and-control server at api.skycloudcenter[.]com, which was offline at the time of analysis but revealed sophisticated capabilities through examination of the obfuscated code.

The backdoor is capable of processing incoming HTTP responses to:

• Spawn interactive command shells
• Create and manage processes
• Perform comprehensive file operations (read, write, delete)
• Upload and download files
• Uninstall itself to cover tracks

“This isn’t just another commodity malware family,” Rapid7’s analysis emphasizes. “The sample shows clear signs of active development over time, with features that suggest it was built for long-term espionage operations.”

Microsoft Warbird: The Undocumented Advantage

Perhaps most alarmingly, the attackers demonstrated their ability to weaponize Microsoft Warbird, an undocumented internal code protection and obfuscation framework. This represents a significant escalation in APT tradecraft, as it leverages Microsoft’s own anti-reverse engineering technologies against defenders.

The threat actors didn’t develop this capability from scratch—they adapted a proof-of-concept published by German cybersecurity firm Cirosec in September 2024 that demonstrated how to abuse Warbird for shellcode execution. This rapid adoption of public research highlights how quickly sophisticated actors can incorporate new techniques into their arsenal.

The Cobalt Strike Connection

Adding another layer to this complex attack, Rapid7 discovered a file named “conf.c” designed to retrieve a Cobalt Strike beacon through a custom loader embedding Metasploit block API shellcode. This combination of custom malware (Chrysalis) with commodity frameworks like Metasploit and Cobalt Strike demonstrates the attacker’s flexible approach to achieving their objectives.

One particularly sophisticated loader, “ConsoleApplication2.exe,” uses the Warbird framework to execute shellcode, showcasing the attackers’ commitment to stealth and evasion.

Lotus Blossom’s Evolving Playbook

Rapid7’s attribution to Lotus Blossom (also known as Billbug, Bronze Elgin, Raspberry Typhoon, Spring Dragon, and Thrip) is based on striking similarities with previous campaigns. The group has a documented history of using legitimate executables from security vendors like Trend Micro and Bitdefender to sideload malicious DLLs—a technique they employed again in this Notepad++ attack.

“What stands out is the mix of tools,” Rapid7 notes. “The deployment of custom malware alongside commodity frameworks, combined with the rapid adaptation of public research, demonstrates that Billbug is actively updating its playbook to stay ahead of modern detection.”

The group’s use of undocumented system calls like NtQuerySystemInformation marks a clear shift toward more resilient and stealthy tradecraft, suggesting significant investment in their malware development capabilities.

The Bigger Picture: Supply Chain Security in Crisis

This attack represents a watershed moment for open-source software security. Notepad++, with millions of users worldwide, has long been considered a trusted tool for developers and system administrators. The fact that a state-sponsored actor could compromise its update mechanism for months without detection raises serious questions about the security of software supply chains globally.

The precision targeting of specific users rather than a broad infection campaign suggests this was an espionage operation aimed at high-value targets—potentially government agencies, defense contractors, or technology companies with intellectual property worth stealing.

Lessons and Implications

For organizations using Notepad++, the immediate recommendation is to ensure they’re running version 8.8.9 or later. However, the broader implications extend far beyond a single text editor.

This incident highlights several critical cybersecurity challenges:

• The vulnerability of even well-maintained open-source projects to sophisticated attackers
• The effectiveness of supply chain attacks for targeted espionage
• The rapid evolution of APT tradecraft, particularly the weaponization of legitimate tools and frameworks
• The need for enhanced verification mechanisms in software update processes

As threat actors continue to refine their techniques and leverage both custom and commodity tools, organizations must adopt defense-in-depth strategies that assume compromise is inevitable and focus on detection, response, and resilience.

The Notepad++ attack serves as a stark reminder that in today’s threat landscape, no software is too small or too niche to escape the attention of determined adversaries. The fusion of custom malware like Chrysalis with established frameworks and cutting-edge exploitation techniques represents the new normal in advanced persistent threats—a reality that security professionals must grapple with in the years ahead.

Tags: #NotepadPlusPlus #SupplyChainAttack #APT #LotusBlossom #Chrysalis #CyberEspionage #DLLSideLoading #MicrosoftWarbird #CobaltStrike #Metasploit #ThreatIntelligence #ZeroDay #CyberSecurity #StateSponsoredHacking #OpenSourceSecurity #MalwareAnalysis #CyberAttack #DigitalEspionage #AdvancedPersistentThreat #CyberDefense

Viral Sentences:

• “China-linked hackers weaponize Microsoft’s secret code protection to attack millions”
• “State-sponsored spies turn beloved text editor into digital espionage tool”
• “The Notepad++ breach that could change cybersecurity forever”
• “How Chinese APT groups are staying ahead of modern detection”
• “The supply chain attack that proves no software is safe”
• “When legitimate tools become weapons: The new era of cyber warfare”
• “The sophisticated malware family that’s rewriting the rules of espionage”
• “From text editor to trojan horse: The Notepad++ compromise explained”
• “Why DLL side-loading is the new favorite technique of nation-state hackers”
• “The undocumented Microsoft framework that’s now in the hands of attackers”

,