Security researchers attribute the Notepad++ update hijacking to the Chinese state-linked APT Lotus Blossom, which abused the projectβs update infrastructure to deliver a newly identified backdoor called Chrysalis to targeted victims. The trojanized NSIS installer sideloaded a renamed Bitdefender Submission Wizard (BluetoothService.exe) to load encrypted shellcode and a malicious DLL, using API hashing, multiple obfuscation layers, and structured C2 to evade detection. #Chrysalis #LotusBlossom #Notepad++
Keypoints
- Researchers link the update hijack to the Chinese APT group Lotus Blossom.
- The compromised Notepad++ update delivered a previously unknown backdoor named Chrysalis.
- Attackers used a trojanized NSIS installer and a renamed Bitdefender Submission Wizard (BluetoothService.exe) for DLL sideloading.
- Chrysalis employs API hashing, multiple obfuscation layers, filename evasion, and a structured C2 channel to remain persistent and stealthy.
- Rapid7 published IOCs and attributed the campaign with moderate confidence while the exact number of affected victims remains unclear.
Read More: https://www.theregister.com/2026/02/02/notepad_hijacking_lotus_blossom/