Notepad++ breach alert: China-linked Lotus Blossom hackers deploying Chrysalis backdoor via tampered updates.

A China-linked hacking group known as Lotus Blossom (or Billbug) has been attributed to a breach of Notepad++'s hosting infrastructure, delivering a custom backdoor called Chrysalis via tampered software updates. According to Rapid7, the attack targeted users from June to December 2025 by hijacking update traffic and exploiting weak verification in older versions. Notepad++ fixed the issue with version 8.8.9, migrated to a secure host, and rotated credentials, with no evidence of widespread malware distribution.

Notepad++ breach alert: China-linked Lotus Blossom hackers deploying Chrysalis backdoor via tampered updates.Notepad++ breach alert: China-linked Lotus Blossom hackers deploying Chrysalis backdoor via tampered updates.

The Chrysalis backdoor, embedded in an "update.exe" installer, uses DLL side-loading with a renamed Bitdefender tool to execute encrypted shellcode. It gathers system info, contacts a now-offline C2 server, and can perform actions like spawning shells, file operations, and self-removal. The malware incorporates advanced techniques, including Metasploit, Cobalt Strike, and Microsoft Warbird, adapted from public proof-of-concepts for stealth.

Notepad++ breach alert: China-linked Lotus Blossom hackers deploying Chrysalis backdoor via tampered updates.Notepad++ breach alert: China-linked Lotus Blossom hackers deploying Chrysalis backdoor via tampered updates.

Rapid7 links Chrysalis to Lotus Blossom based on similarities to past campaigns involving legitimate executables for DLL side-loading. The group's evolving tactics, blending custom tools with commodity frameworks, highlight their resilience. Stay safe—update software and verify updates. Have you encountered similar threats? Share below!


NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, FraudProtector.net